Latest in Tomorrow

Image credit: ASSOCIATED PRESS

Facebook stops asking new users for email passwords

The practice is frowned upon by information security professionals.
334 Shares
Share
Tweet
Share
Save

Sponsored Links

ASSOCIATED PRESS

Facebook has halted a sketchy practice of asking some new users for their outside email credentials in order to verify their accounts. After a Twitter user on Sunday shared a screenshot of Facebook asking them for the password to their email, the social media giant faced intense criticism from security professionals. A spokesman for Facebook told The Daily Beast that it would no longer engage in this practice.

Facebook has maintained that the password prompt only appeared for a small number of users, specifically new users who were signing up for Facebook on desktops with email addresses that did not support OAuth. OAuth, which is an open standard security protocol used by Google, Amazon, Twitter and Facebook, lets users grant third-party clients access to their information without giving them their password.

Engadget tested the company's claim on Tuesday morning that it no longer asks for email passwords, and it checks out. We signed up for a new Facebook account with an iCloud email address, which doesn't use OAuth. Facebook then sent a five digit security code to that iCloud email; it also sent a separate email with a "Get Started" link, both of which could be used to get into the new Facebook account -- but crucially, it never asked us for the email account password.

Facebook is facing more scrutiny over how it handles user passwords after numerous privacy transgressions over the past year. While the social media giant is always quick to fix whatever initial problem occurs, the fact is that new problems always crop up. If a 3,000 word manifesto released last month by CEO Mark Zuckerberg on a new "privacy-focused" vision for the company is to be believed, the company wants to take privacy seriously from the top-down. But the recent evidence isn't too encouraging.

The company discovered in January that over 600 million user passwords were stored in plain text. Facebook admitted back in November that it was handing over phone numbers that users provided for two-factor security to third parties. The FTC confirmed last week that it is once again investigating Facebook after the company admitted it let Cambridge Analytica access user information in order to target Trump supporters during the 2016 presidential election. But consumers probably shouldn't get their hopes up; FTC's last probe into Facebook's privacy practices, back in 2011, still led us to where we are now.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
334 Shares
Share
Tweet
Share
Save

Popular on Engadget

YouTube Originals will be free to watch starting on September 24th

YouTube Originals will be free to watch starting on September 24th

View
Nintendo will replace a newly purchased Switch with newer model

Nintendo will replace a newly purchased Switch with newer model

View
Google pulls 85 Android apps with particularly obnoxious adware

Google pulls 85 Android apps with particularly obnoxious adware

View
24 hours with the Samsung Galaxy Note 10+

24 hours with the Samsung Galaxy Note 10+

View
A popular immigration bill is bad news for US esports

A popular immigration bill is bad news for US esports

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr