“What’s the harm in giving up my Twitter password?“, you might say, “all someone can do is see my direct messages and post a tweet from me, right?”
Think again. The reality today is that social media services are used for far more than just posting updates or photos of cats. They also act as “identity providers” allowing us to easily login to other sites and services.
We’ve all seen the “Login with Twitter” or “Continue with Facebook” buttons on various sites. Or for Google or LinkedIn. These offer a tremendous convenience. You can rapidly sign into sites without having to remember yet-another-password.
But…
… if you give your passwords to your social media accounts to someone, they could potentially[1]:
- Impersonate you on social media accounts and post updates in your name.
- Sign in to the comment sections of various news media sites and leave comments using your name.
- Connect in to photo sites and see our photos, and modify or delete the photos, or post new ones in your name.
- Sign in to e-commerce sites, view your orders and purchase items.
- Login to video sites and see what videos you have watched, or post new ones to your account.
- Login to your Medium account, view and change any articles you have written, add new comments as you.
- Sign in to Goodreads, view all your books, see all the lists of what you want to read, view all your reviews and post reviews in your name.
- Login to your Spotify account and learn all about what kind of music you like to listen to.
And that’s only a small number of examples.
We live in an era of highly-connected systems. And there are so many systems and services! The convenience of using our social media accounts to login is easy to understand.
But… if you give someone your password to a social media account, or are required to give your social media passwords to someone, you are giving them access to so much more than just that social media service.
What can you do?
1. Don’t give out your social media passwords!
2. Understand where your social media IDs are being used. In both Twitter and Facebook you can go into your “Settings” and choose “Apps” to see where you have granted access. You can revoke access there for sites and services you no longer use.
3. Think about whether you want to continue using your social media IDs in so many places. Does the convenience outweigh the issue of having so many services linked to one identity?
4. Enable 2-Factor Authentication on sites that offer this, which requires a second step beyond just your password to login. These are very easy to use, often using a phone or a small and inexpensive “dongle” that fits on your keyring.[2] Do note that this may not help if you are required by authorities to provide your social media passwords as they may require you provide the device used for two-factor authentication.
5. Use a password manager instead of using your social media ID to login to other sites, which enables you to generate and use very strong passwords and access them all with one master password. There are many excellent free and paid options available for both computers and mobile devices, with a variety of features.
6. Spread the word. Help others understand how critically important our social media passwords are.
P.S. For more ideas, please see
[1] Depending upon how you have configured the service to work.
[2] The FIDO Alliance is a leader in this area, and a list of enabled sites and certified products is available on their site https://fidoalliance.org/adoption/overview/