Facebook caught asking for new users' email passwords

That is a problem many people have. FB has almost 2 billions users and a number of them do not check any other communication channels. Checkmate.


Seems like good fun! :innocent:


“Free” is certainly hard to beat, but what is the real cost of “free”?

Both @TheirFeldspars and @bobtato bring up good ideas, but I also know sending mailers and designer newsletters isn’t free either. Neither is website hosting, registration, or anything else.

But advertising for your business is (currently) tax deductible. At least it was when I last had to deal with it; no telling what will happen with our current crop of clowns regulating.

I think you could find a better, more community friendly way to advertise your events than using Facebook. It’s showing no signs of changing for the better anytime soon.

I appreciate the suggestion. We do use MailChimp, as well as Twitter and Instagram, but none are as effective as Facebook. We put a survey in the program for every show, asking how people heard about it, and the top answer is always Facebook, followed by the radio (we do a segment on our local NPR station for each production). Twitter and Instagram: Basically zero.

We’re reaching people with MailChimp, but not nearly as many as Facebook. To put it another way, there are a lot of people we are only reaching via Facebook, while the people we reach via other channels are also on Facebook. It sucks, but we have to do what works.


My only regret is I can only delete Facebook once


One of the most nauseating things online is writers who are scathing about Facebook on social media but whose published journalism takes everything it says in steeple-fingered good faith. Twitter, the bar next to the public defenders’ office.

This paragraph is mere millimeters away from both the SHARE / TWEET links.


This post is spin city.

The article’s angle on the issue, and the article’s source link, is very bizarrely worded to me. The article should be altered to not be quite so panicky, because in comparison to other things Facebook prompts you for, this is small potatoes.

For one, entering your email password is one option, not the only option – it’s not requiring you to, nor demanding you do. BoingBoing itself offers something very similar to this, in that you can sign in/ register to comment by using a Google login; the interface is no doubt iframed or windowed to some degree to load a strictly Google-authorized context inside which you may enter your details, but from a grandma’s perspective, it’s still on BoingBoing that you’re entering it, rather than going to Google itself.

While I personally would find it inadvisable from a privacy standpoint to even use a critical email address to sign up to services with in the first place, and therefore you should use a junker address to sign up, there are loads of things you could also enter on Facebook that is terrible on the privacy spectrum, but are somehow not making headlines. The article is trying to shoehorn a story out of something rather ordinary. If you don’t want to use that option, then don’t use it, and that’s all there is to it.

I’m sure you understand the difference between “let the BBS authenticate your forum account by connecting to Google for basic information in a manner that means BBS will never see your password” and “give Facebook the password for your email account so they can log into it and look for the message they sent you”, right?

Also, this UI doesn’t seem to provide any other option for verifying your email address (if it does, it’s absolutely buried somewhere in an anti-pattern choice like “update contact info”):

ETA: Apparently alternatives are offered under the “Need help” link (like I said, anti-pattern), and the “see how it works” link is unclickable.



Back in the day, if you didn’t keep a contact list it was less of a problem. Now, they probably sift through all the incoming and outgoing messages looking for keywords, on top of the addresses.


That it even asks for your email password is extremely wrong.


What surprises me is that it’s so…retro…about its evil.

OAuth is not exactly young at this point; and is specifically designed for this sort of cross-service delegation without degenerate password sharing.

It’s also a popular way to obtain overbroad permissions in the guise of making sane and safe sounding requests; and OAuth authorizations can be a fun way of hiding your continued foothold from someone who tries to lock you out by changing their password.

Did the people at Facebook who have never even heard of Facebook’s own use if OAuth approve this because they know nothing better? Is this just the only way to assure compatibility with every last dodgy email provider in the known world? Are industry standards for amount of access potentially granted through OAuth(usually rather high) just not creepy enough and only 100% parity with authorized credential powers will do?


1 Like

That seems to be the Facebook SOP: they push until people get outraged, then back off just enough to silence the loudest complaints. Zuckerberg blows a little smoke before Congress, and the congresscritters boast about how they took action to protect the American people. Facebook gets the public and the politicos acclimated to privacy intrusions step by deliberate step.


This is utterly incorrect on how the Google authentication process works. I speak as someone who’s recently worked on an email application that interfaces with Gmail.

  1. The authentication process is scoped. Meaning you get only a small set of permissions and they’re easily revoked.

  2. For most use cases for Google Account (as opposed to Gmail) authentication, you get no more information than what Google exposes in the token returned. You can’t even scrape their form because the way you access it is to redirect TO THEIR SITE and provide a RETURN URL to return back to with the aforementioned token.

  3. Google is pretty picky about who it allows to use this process. In fact, you have to get your application whitelisted to even get the authentication (single sign on) process to work.


Send a Private message the people you really want to keep in touch with. Include your email and say something like: “I’m bailing on FB cuz it’s evil. I really want to stay in touch with you so here’s my email”. the people that email you back are the friends who still want to keep in touch with you.


I can’t imagine why they bother. Most people use the same passwords for everything, so without asking, they can try the Facebook password in the email and achieve the pwnage they seek.
Very high success rate.

“We Await Silent Tristero’s Empire”

1 Like

Eh, my view of digital social relationships is nuanced enough to know that there are people I want to keep on my friends list on Facebook that likely would not pass that test.

I think the public is finally, finally starting to turn on Facebook. Even several of the podcasts I listen to that usually end with “find us on Facebook, etc.” are beginning to either say “though Facebook kinda sucks” or outright announce they’re leaving it. Family members who should know better by now, not so much, but I guess there are still people using AOL too.

1 Like

Have a look at matrix.org and riot.im - It looks to me like a possible alternative.

Matrix is “an open standard for interoperable, decentralised, real-time communication over IP”
Riot.im is “a universal secure chat app entirely under your control.”

Here’s a presentation about it:
Matthew Hodgson: Power to the people: liberating online communication with Matrix.org - YouTube