Giving Away Your Passwords

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a...
Rob Sobers
1 min read
Last updated October 21, 2021

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a little.

Unfortunately, the House voted down an amendment that would prevent employers from making this ludicrous request.  After reading the rebuttal, I’m hopeful that this legislation will make its way through in some form or another.

Thankfully, humans asking for your social media passwords during job interviews is a rare practice.

On the other hand, websites asking for your account passwords isn’t.  We call this the Password Anti-Pattern.   When a third-party website asks you to input your username and password to another service, like Facebook or Twitter, run for the hills!

Password Anti-Pattern

Notice how the site above is asking you directly for your Twitter password.  Bad!  What they should be doing is redirecting you to Twitter to authenticate in person, so to speak.  Like this:

OAuth (The Right Way)

Usually the intent of the website employing the Password Anti-Pattern is good – they’re not trying to be snoops (unless the site is actually an evil phishing site).   Rather, it’s likely they want to help you find your friends, import your photos, or in some way improve the experience of their application by connecting to others.

But despite the good intent, disastrous problems can arise.  Say you want to let App XYZ import your Gmail contacts.  The app asks you for your Gmail password and you happily hand it over.  Now you’re entrusting them to store that password securely, and the sad truth is, they’re probably not.

Now imagine you let 15 other apps do the same thing.  One of them is breached.  If you don’t change your Gmail password soon enough, they can lock you out.  What’s worse, most applications you use let you reset your password via email.  Thus we typically consider our email passwords keys to our castles.

Even if you do manage to change your Gmail password in time, now you have 14 apps that you have to update to reflect this change.  It’s a nightmare!

The good news is there’s a better way to grant one website safe, limited, and controlled access to another.  It’s called OAuth.  Think of it as a valet key.

Stay tuned.  Next week we’ll talk more about OAuth – what it is, how it works, the pluses and the minuses.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

are-these-10-cybersecurity-myths-putting-your-business-at-risk?
Are These 10 Cybersecurity Myths Putting Your Business at Risk?
From the myth of strong passwords to misconceptions surrounding which businesses hackers target and why, there are a number of cybersecurity misunderstandings that could be putting your business at risk of attack. Are you or your employees falling for them?
covid-19-threat-update-#6
COVID-19 Threat Update #6
Hoarding isn’t just happening with toilet paper: we’re seeing cases where remote employees have downloaded department-level folders. Chances are, these files will contain sensitive data like PII, PCI, HIPAA and...
covid-19-threat-update-#2
COVID-19 Threat Update #2
The coronavirus crisis presents a perfect storm for attackers. Routines have been upended, employees are remote, and many will work on unpatched personal devices.  It only takes one compromised remote...
covid-19-threat-update-#3
COVID-19 Threat Update #3
If you’re reading this, there’s a good chance you’ve become one of the millions of employees forced to work from home during the coronavirus crises. Accessing your emails and files...