

Cunning trick StackOverflow uses to get you to signup using Facebook credentials - edawerd
http://blog.edward-kim.com/how-stackoverflow-makes-you-register-using-yo

======
kmontrose
Uhm, no?

I added the Facebook login option* to Stack Overflow, and I can assure you we
don't really care which credential you use. We don't do anything different
based on Facebook/non-Facebook creds.

Go look at your app settings and you'll see that the Stack Exchange/Stack
Overflow app only accesses your Facebook account when you login. We don't do
any subsequent queries, by design (we actually discard the auth token, but
that's harder to prove).

The vast vast majority of the accounts on Stack Overflow use Google as a login
provider. This has basically always been the case
(<http://meta.stackoverflow.com/q/31021/130213>).

* We waited until they supported OAuth 2.0, as we weren't comfortable with the older Facebook Connect.

------
sysop073
At first I thought this was just embarrassingly wrong, but it's more than
that; you fabricate details to try and make your point. This is what the SO
login page looks like: <http://i.imgur.com/4Z8P8.png>

SO doesn't push Facebook logins -- they accept any OpenID login, and Facebook
is one of 13 default options presented (besides just letting you type in
whatever provider you want). They _only_ accept OpenID logins -- the Stack
Exchange option is just a Stack Exchange-provided OpenID. You can use that
login with any OpenID-enabled website, including Stack Overflow. I can't
believe you felt comfortable writing "they strongly encourage you to sign in
using Facebook"

Furthermore, they don't even use the Facebook login you're thinking of.
Facebook supports oauth, so they connect via that. They're not cleverly
stealing all your Facebook data; oauth doesn't work that way. It just got
funny when you complained that the password requirements were more complicated
than banks, since banks are regularly mocked for their incredibly insecure
password requirements

As far as I know they've never published what percentage of users use which
type of OpenID, but I know at least myOpenID is very popular. Why you chose to
use your Facebook account from one of a dozen options and then bitched that
you used your Facebook account is completely beyond me

------
mythz
This is a strange conclusion from a site that accepts every OAuth option under
the sun with the facebook login as the last presented major option.

Assuming a UX mind trick because someone has a strict password policy is a bit
far-fetched IMO.

~~~
edawerd
UX mind trick or not, the strict password policy DID ultimately get me to sign
in with my Facebook credentials.

My conclusion here is that a strict password policy can actually help a
website get more of their users to open up their Facebook profiles to them.

~~~
tikhonj
That's more a comment about you than about SO. Also, I don't see why you
single out Facebook--I suspect a large amount of people use Google, maybe even
more than Facebook. And the technically savvy sort could always use _any_
OpenID provider.

------
bdfh42
What a load of whining rubbish.

Anyone who thinks a short password is secure in this day and age is nuts -
particularly as just such individuals re-use passwords across services.

This person would be the first to decry SO if there was any breach of security
caused by bad password choice.

~~~
edawerd
The intention of the post was not to whine about the password complexity.
Quite the opposite, I think Stack Overflow's strategy is a brilliant way to
get you to login/register using Facebook.

~~~
bdfh42
Read their blogs and you will see that SO is keen that you use any available
OpenID provider to log in to their site - they have no interest in any one
such provider.

Should you have persevered through the terribly difficult task of establishing
a password with them then - wow- you would have had a new OpenID you could
have used at other sites - without creating yet another username/password
combination.

These guys are doing you a favour at their (small) expense and you see it as
some sort of con.

Some word combination of horse teeth and gift comes to mind - but whingers
there will always be.

------
r00fus
Is this a joke post?

8 unique characters? I just checked (as I use a password manager) - 90% of my
hand-coded passwords pass this test. The rest of my passwords are machine-
generated - and most password generators are capable enough to guarantee
unique characters and length.

Maybe StackOverflow's "cunning plan" [1] is really to force you to use a
password manager or OpenID?

[1] <http://en.wikiquote.org/wiki/Blackadder>

------
tzs
This is what password managers are for. Here's one that the manager I use
generated for me:

    
    
       87NTK7g9M;xwF@aQ7tqTK{d(87ftLd4(;a$w]#f7X4<yAFNFwk
    

I believe that meets their requirements.

I like StackOverflow's login implementation. I believe StackOverflow was the
first site I encountered that I wanted to sign up for and whose OpenID
implementation accepted i-names. I had =tzs for something like 2 or 3 years
before finally being able to actually use it.

------
mark-r
I think this is missing the difference between grabbing your Facebook login
and using Facebook's OpenID capability. The only piece of information
StackOverflow gets back from Facebook is the fact that you're logged in there.

------
AznHisoka
I don't think this brilliant at all. Anyone who decided to forego the FB
Connect route is already someone who wants to sign up. By making it incredibly
painful, it'll lessen the chance of him even signing up. Sure, you'll get more
FB signups, but the absolute # of signups will decrease.

And what's the advantage of more FB signups? This isn't a social network like
Foursquare or Pinterest.

------
gm
Really? This is to herd you into using FB?

First issue: How do you know this is the intention?

Second issue: Who cares? You are free to not use the site.

Third issue: There are other options. I sign in using Google's authentication.
I did not even know they had FB integration.

Seems more like this post is an excuse to whine about things than anything
"real".

------
boca
StackOverflow is just doing the right thing enforcing a strict password rule.
If people don't want to create an account with a strong password and instead
end up using FB connect, then it's just what the user chose. I don't think
that amounts to StackOverflow being cunning and tricking anybody. I get your
point but don't think you should use those words.

------
ChuckMcM
Wow, the risks of putting your own blog post on HN :-)

If you're reading edawerd, One Password and other tools like it are real
lifesavers in this sort of situation.

------
psylence519
All this tells us is that you typically re-use your passwords, and that they
are fairly weak to begin with.

------
shingen
I think the real issue here is the weakness of the passwords your bank is
willing to accept.

------
edawerd
kmontrose of StackOverflow informed me in his comment that this in fact was
not their intention at all. Futhermore, they don't use any of their user's
Facebook profile data. I now realize it was a bit of a stretch to say that
Stack Overflow engineered their UX in this manner.

Regardless, the strong password requirement DID convince me to sign in using
my Facebook credentials, and I'm sure it will convince others as well. In
conclusion, I think a very strong password could actually funnel users into
signing in with 3rd party credentials.

