Why Is Facebook Asking for Email Passwords?

How much does Facebook know about you? Different people will give different answers. If you don't have a Facebook account, for example, you are likely to say that the world's largest social network knows nothing about you. If you have an account that you don't use very much, you will probably say that Facebook knows very little about you. And if you do have an active account and you have followed the recent news, you might be inclined to say that Facebook knows more about you than it should. Definitively saying which of these answers are right and which aren't is a different, very complicated matter.

Answering another question, however, is much more straightforward. The question is "How much does Facebook want to know about you?" and the answer is "A lot".

The world's biggest social network makes its money by serving targeted ads. The difference between a normal ad and a targeted one is that the latter is much more likely to get you interested. Because of this, Facebook wants to know what sort of things might extract that all-important click. In theory, there's nothing wrong with targeted advertising, but there is a line between collecting data that can be used for delivering the right ads and invading people's privacy. We won't go into how many times Facebook has crossed that line. Instead, we'll discuss the latest in a long line of storms around Mark Zuckerberg's business.

Facebook asks users for their email passwords

Apparently, this has been going on for a while, but it wasn't until a software developer and cybersecurity specialist going by the Twitter handle @originalesushi mentioned it that it finally caught people's attention.

As @originalesushi explains, under some circumstances, people creating new Facebook accounts are asked for their email passwords. The Twitter thread became viral rather quickly, and shortly afterwards, reports by The Daily Beast, Business Insider, and Gizmodo appeared, causing a bit of a stir. The world's largest social media platform was heavily criticized, and, as we'll see in a minute, rightly so. Before you break out the torches, pitchforks, and #DeleteFacebook hashtags, however, let's see what Mark Zuckerberg's employees had to say for themselves.

One of the first things they told the media is that a "very small" number of users are asked for their email passwords. Apparently, this is the one to verify your email address in case your provider doesn't support OAuth – an open standard that allows authenticated login without the transmission of an actual password. There are other, more conventional means of verifying these addresses, but the reporters covering the story said that they seem to be hidden behind a few menus.

Most major email providers support OAuth which is why this particular feature of Facebook's signup mechanism has remained largely hidden over the years. Overall, the social network's spokespeople were probably right when they said that not many users have been asked for their email passwords. Despite the low impact, security experts appear to be rather upset with Facebook.

Is it that bad?

In an interview for Business Insider, Bennett Cyphers, a security researcher working for the Electronic Frontier Foundation, said that the practice of asking people for their email passwords "goes against conventional security wisdom, basic decency, and common sense". Founder of Rendition Infosec and cybersecurity expert Jake Williams told The Daily Beast that it's "beyond sketchy". Troy Hunt, another infosec legend and creator of the HaveIBeenPwned service, was a bit more restrained, describing it as "a security anti-pattern". Some people might be tempted to say that the security experts are overreacting a bit.

Facebook representatives explicitly noted that although it might ask for it, the social network will never store your email password. Apparently, it just uses it to confirm your address after which it gets rid of it. There is no way to verify or refute these claims, so you'll have to decide whether you're willing to take Facebook's word for it.

Even if you assume that Facebook's people are lying, it's difficult to imagine that Mark Zuckerberg will risk the empire he's built over the last fifteen years in exchange for compromising some email accounts. Indeed, the social media behemoth recently admitted that it has made some mistakes while handling Facebook and Instagram users' passwords which is hardly encouraging, but as we mentioned already, your password is only requested if you're using an email provider that doesn't support OAuth – an established security protocol that is neither new nor difficult to implement. In other words, Facebook might not be your biggest security issue.

Yes, it is that bad

Whether or not Facebook stores and can potentially leak your email password is not the real problem here. The biggest issue lies with the fact that it's requesting it in the first place.

Millions of people spend countless hours on Facebook every day. We all know how influential it is when it comes to shaping people's views on the world, and we know that it can be just as powerful at improving their security habits. Instead, however, it's doing the exact opposite.

For years, security experts have been trying to teach people how important their emails are. They've also been telling users that passwords should never be shared with third parties. And yet, here comes one of the biggest, most established online services asking for a password it shouldn't have access to. All of a sudden, a completely unacceptable practice is turned into something people could perceive as normal. It's a one-step-forward-two-steps-back situation, and security specialists are predictably not happy about it. Neither should you be, for that matter.

Facebook has realized its mistake and has announced that it will stop asking people for their email passwords. Hopefully, this will happen sooner rather than later. In the meantime, everybody should draw their own conclusion from the seemingly never-ending stream of security and privacy problems around Facebook.