
Ask HN: Is centralized credentials good security practice? - bhhaskin
I just recently had an interesting discussion about social logins. A security consultant was arguing that by requiring users to login utilizing Facebook and Google&#x27;s 0auth system it was somehow more secure than a email and password approach, and that using centralized credentials is also good from a security standpoint.
My opinion is that social login is really just for convenience and that it doesn&#x27;t really offer anymore security than a well implement login system. Not to mention data privacy when using social logins. I also think that having centralized credentials is actually a horrible idea and is the stuff of nightmares for security (not to be confused with a password manager). A attacker only has to gain access your Facebook, Google or centralized account to gain control of your online presses in its entirety.
I think social logins are great for the people that want to use them, but it is terrible to use the excuse that they are way more secure to not offer another authentication method.
It was suggested that I ask here to see what others think. So, is centralized credentials good security practice, and are social logins good to use if you are a security conscious individual?
======
stephenr
I've heard the same thing, and effectively the reasoning seems to be "we don't
have to worry about user account security then, we let Google/twitter/Facebook
handle that"

I'm with you though, it isn't _that_ hard to have good password hashing, login
rate limiting, etc and you aren't inherently depending on some external entity
that has less than zero interest in your needs or wants.

The "security" argument to me is as ridiculous as the people who claim that a
client-side app that uses Aws/etc services is "server less". Honestly if no
one on your team can impliemnt a simple authentication later I don't have high
hopes for your success.

------
digi89178
Your security consultant is dumb, you should fire him/her. (S)He may be right
in the sense that social logins typically involve more user verification on
their side and you can usually determine a fake from a legit account due to
the data they provide.

However, They're wrong on everything else. Centralized credentials in terms of
social isn't secure at all. Consider the Apple iCloud "hacking" incident. The
intruders simply used social engineering to uncover the password recovery
answers. From there they could access everything in a user's iCloud -
Including login information. When using Google or Facebook that same thing can
happen. Consider that many novice users don't have two-factor authentication
setup, in fact many novice users share passwords between accounts. Which means
you're trusting [insert x site here] to not get hacked and take down the rest.
Many novice PC users aren't smart and will leave their social accounts at
risk. The same social media account can provide intruders with the data to
hack it.

Not to mention you loose control over password qualifications - which when set
correctly can increase entropy.

All that aside, with Social Logins you still have to setup a traditional
account security system. Social Media just handles the login for you and gives
you an account it - You still need to do all the traditional account/userid
stuff.

You want security? You need this. 1\. Good Password Hashing (w/ Individual
Salting) 2\. Good Password Requirements 3\. Login Rate Limiting 4\. IP /
Geolocation Logging (Check if someone logs in from Georgia, then from Russia 5
minutes later. If it's impossible for a user to travel that far, Lock it.) 5\.
Good Session Management - If its been 5-15 minutes. Trash the session. 6\.
Location Remembrance (W/ #4) "Hey, we see you haven't logged in from here
before. Wanna save this spot?" 7\. User Notification of Account Changes to
Prev Confirmed E-Mail - "Hey, We see you logged in from Belize, Is this you?"
/ "Hey, We see you've changed your account's e-mail. Is this correct?" 8\.
Require password reset's involve a secondary device. Like a mobile phone. If
they go to reset their password they have to enter a SMS Code to confirm.
Services like Mailgun make this easy. 9\. Allow Two Factor Authentication
(Again SMS/Email when Logged in)

