2. It is very easy. SQL injection etc. isn't something you magically get rid of because you use a facebook login...
The reason so many get this wrong is because they don't even try. And if you don't even try you won't get any other aspect of security right and outsourcing your logins isn't going to solve any of that. If you have to outsource this to facebook, the moment you get big you will, guaranteed, have issues with DoS, rate-limiting, SQL injection etc. for everything but the login. Which honestly isn't much of an advantage (sure, leaking your password database is bad press - but if you have the slightest bit of salting it might even turn out to be somewhat good - after all, your little startup apparently had way better security than sony and 99% of everyone elses leaked databases). If salted passwords is the only thing valuable in your database you are in serious trouble anyway.
3. Since building your own login is so easy and hardly even a fraction of anything worth doing with your startup, outsourcing it completely is just ludicrous.
If you can't even salt your passwords right maybe this web-thing isn't your thing after all, or maybe you should outsource everything...
Point is that exclusively relying on facebook (or whatever) login is that it is downright fraudulent and also signals that you are lazy and don't care the slightest about your users. It is that easy, you can't get away from that.
Offer a facebook login alongside your own solution (if you think it's worth the hassle implementing facebook connect/whatever), even if 99% of the users choose facebook the fact that there is an alternative is guaranteed to make them feel better about using facebook in the first place. If you don't think that is worth it, your site most likely isn't worth even trying either...
As from the user point of view, if you really think it is worth it (probably isn't): Just create fake facebook account(s).
1. What's irrelevant about having robust and constantly-evolving phishing detection, and optimized flows for getting people back into their accounts? Both of these are important in a high-quality login system IMO.
2. You're right that a lot of folks fail to even try for security, but I disagree that outsourcing password management to facebook won't help them. If they get popped and have no passwords, all that leaks is the information specific to their site. If they get popped and have passwords, then in addition all those users' passwords (which they likely share with other sites) are now in the open. The damage has spread beyond the one clowny site and screwed over those users' experiences on wherever they shared passwords. We actually invest a fair amount of time in automated systems that look for leaked password dumps from such sites and help clean up users whose leaked passwords match their Facebook ones.
Also, even in cases where people did things more-right, it's still incredibly damaging. Look at LinkedIn (who was hashed but not salted) or Gawker (who was hashed and salted, albeit poorly).
3. I guess I didn't convey this very well, but my point was that building your own login system is difficult. Getting everything right to ensure it's secure is actually pretty difficult, and requires constant attention if you're under any kind of targeted attack.
As for making fake Facebook accounts... please don't do that. You'll just open yourself to a bunch of headaches, as we're pretty aggressive with removing fake accounts from the site.
Facebook has big target problems and fortunately has big target defence resources. That doesn't make it right for everybody.
1. If you are small people won't be using your brand as the bait in anything other than spear-phishing when your phishing detection won't work. Emails and password resets are pretty easy. If you need it twilio makes SMS resets pretty easy too but in most cases that is probably overkill.
2. There probably is some benefit here.
3. There are fairly simple and clear best practices that are reasonable for most sites. Most people aren't under targeted attack although they should put a reasonable amount of effort into a reasonable defensive system.
Facebook integration (or other 3rd party login) also brings additional risks as they become a potential attack vector. This may seem unlikely unless you consider the possibility of staff, contractors or app developers finding a way in.
2. It is very easy. SQL injection etc. isn't something you magically get rid of because you use a facebook login...
The reason so many get this wrong is because they don't even try. And if you don't even try you won't get any other aspect of security right and outsourcing your logins isn't going to solve any of that. If you have to outsource this to facebook, the moment you get big you will, guaranteed, have issues with DoS, rate-limiting, SQL injection etc. for everything but the login. Which honestly isn't much of an advantage (sure, leaking your password database is bad press - but if you have the slightest bit of salting it might even turn out to be somewhat good - after all, your little startup apparently had way better security than sony and 99% of everyone elses leaked databases). If salted passwords is the only thing valuable in your database you are in serious trouble anyway.
3. Since building your own login is so easy and hardly even a fraction of anything worth doing with your startup, outsourcing it completely is just ludicrous.
If you can't even salt your passwords right maybe this web-thing isn't your thing after all, or maybe you should outsource everything...
Point is that exclusively relying on facebook (or whatever) login is that it is downright fraudulent and also signals that you are lazy and don't care the slightest about your users. It is that easy, you can't get away from that.
Offer a facebook login alongside your own solution (if you think it's worth the hassle implementing facebook connect/whatever), even if 99% of the users choose facebook the fact that there is an alternative is guaranteed to make them feel better about using facebook in the first place. If you don't think that is worth it, your site most likely isn't worth even trying either...
As from the user point of view, if you really think it is worth it (probably isn't): Just create fake facebook account(s).