Time for a reminder about password security. We have talked a lot about how to choose good passwords. But they are worth nothing if they don’t stay secret. This is about a quite simple scheme that tricks many users into revealing their e-mail passwords.

“John Doe found 4 new friends by searching his email contacts. Give it a try”. That’s what pops up in my Facebook now and then. You just have to submit your email and the password to your account. Facebook can then connect to your mail account, parse the contact list and match it against its own user database. Sounds simple and it sure works.

The drawback is of course that you at the same time grant Facebook full access to your mail, no matter what system it is hosted on. Facebook can not only read your contacts but also your mail messages and calendar items. Facebook could even manipulate the content in your account, delete items or send mail on behalf of you. I’m not claiming that they misuse account details in this way, but it’s best to not even give them the chance to do so. Facebook’s reputation for privacy isn’t exactly stellar and for me it’s a no-brainer that they can’t be trusted with secret info like one’s mail password. Frankly speaking, I haven’t even bothered to check what kind of privacy promise they make about this feature. Their promise is pretty irrelevant anyway, this is just simply a bad idea.

So don’t use this feature if Facebook offers it to you. If you have used it, your mail password is compromised and need to be changed ASAP. And this is by the way true for any other system that might offer a similar feature. Linkedin is one example.

To wrap up. Passwords are secret. They should only be entered into the system they belong to, into an app or program that is designed to use the system or into a password manager program you trust. Another I use is LastPass. They should not be kept on stickers or in files that aren’t properly protected. They should not be entered into other systems that promise to do something on your behalf (the Facebook feature falls into this category), unless you are 100% sure about the reliability of that system.

Via: f-secure