On Fri, Nov 30, 2018 at 04:12:27PM -0500, valdis.kletnieks@vt.edu wrote: [...]
There's the additional factor that security is always about trade-offs - for many sites, the dangers of using social media logins are *far* outweighed by being able to just have a big shiny "Log in using Facebook" button instead of making the user set up an account, pick a password, send them a verification e-mail, then they have to read their e-mail and click on the link. Do that, and they just left for another site. Doesn't take many people leaving for another site before any added "security" added by doing authentication yourself is outweighed by lost traffic.
What is better for the site could be diametrically opposed to what is good for the end user. (Yet another trade-off.) Personally, the process of setting up a separate account for each site is a hoop I require before I will sign up for/with a service. I don't *CARE* if the individual site is compromised, as long as my other logins are disconnected from it completely. (For me, that means separate usernames and password pairs for each site.) I suspect there is a choir here to which I am preaching...