Just two weeks after admitting it stored hundreds of millions of its users’ own passwords insecurely, Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network.
Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”
A form below the message asked for the users’ “email password.”
Calling this a “demand” for a password is an overstatement; users have the option of saying “Oh hell no” and getting a code sent to their phone or some other, less incredibly stupid approach. But the reality is that users have vague and often wrong ideas about security, so many will just type in their email password. You know, the password that lets anybody run around resetting all their other passwords and taking over all their accounts.
In a statement emailed to The Daily Beast after this story published, Facebook reiterated its claim it doesn’t store the email passwords. But the company also announced it will end the practice altogether.
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook wrote.
Okay, that’s not really a good answer. This is like someone telling you, “Okay, just leave your house key next to the mailbox with a big sign that says ‘key is right here’ so we can deliver your package.” Even if that works out okay, you have to ask yourself: is this someone I can trust with anything at all?
And the answer to that is “No, hell no, no way.” You like sharing your pictures with people on Facebook? Set up an album in Apple Photos or Google Photos and share it that way. You like messaging with friends on Facebook Messenger? Send a text or download Signal. You like keeping up with new sources on Facebook? Sign up for their email newsletters.
Facebook has proven itself – again – to be absolutely clueless about protecting its users. If you use it, know that you’re taking a risk.