On Fri, Nov 30, 2018 at 04:12:27PM -0500, valdis.kletni...@vt.edu wrote: [...] > There's the additional factor that security is always about trade-offs - for > many sites, the dangers of using social media logins are *far* outweighed > by being able to just have a big shiny "Log in using Facebook" button instead > of making the user set up an account, pick a password, send them a > verification > e-mail, then they have to read their e-mail and click on the link. Do that, > and > they just left for another site. Doesn't take many people leaving for another > site before any added "security" added by doing authentication yourself is > outweighed by lost traffic.
What is better for the site could be diametrically opposed to what is good for the end user. (Yet another trade-off.) Personally, the process of setting up a separate account for each site is a hoop I require before I will sign up for/with a service. I don't *CARE* if the individual site is compromised, as long as my other logins are disconnected from it completely. (For me, that means separate usernames and password pairs for each site.) I suspect there is a choir here to which I am preaching...
