Facebook will stop asking new users for their email passwords – By Ina Fried (Axios) / April 2 2019
Responding to criticism, Facebook tells Axios it will stop asking users for their email passwords as a means of verifying some new accounts.
Why it matters: Although Facebook says it never stored the passwords, collecting them in the first place is a bad security practice, both for the risk of a breach as well as for acclimating users to provide information they should protect.
Details: Facebook told Axios that “a very small group of people have the option of entering their email password to verify their account when they sign up for Facebook,” but noted that people could choose instead to confirm their account with a code or link sent to their phone or email.
“That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” the company said in a statement.
Those being asked for their e-mail passwords were users who listed an e-mail address that doesn’t use the secure OAuth protocol, which allows users to verify their identity to a third party without sharing their passwords.
Facebook’s use of passwords to verify some new accounts was first reported earlier Tuesday by The Daily Beast.
Facebook also recently acknowledged it had been storing some of its users’ Facebook passwords in plain text.
