Brilliant Trick Stack Overflow Uses to Make You Register Using Your Facebook Credentials

Many services push users to log in/register using their Facebook credentials so they can get additional demographic information about them. Only if you absolutly don't want to sign in using 3rd party credentials will these sites begrudgingly allow you to register using the traditional pick-a-user-name-and-password form.

StackOverflow has a particularly cunning way to get you to register using your Facebook credentials. 

StackOverflow's signup page starts out like many others -- they strongly encourage you to sign in using Facebook, but also put a link to their traditional sign up page

Generall a private person, I usually decline to sign in using my Facebook account, so I navigate myself to their traditional signup page. It looks like a standard signup form at first, but then I quickly realized their password requirements are just plain ridiculous. Your password on StackOverflow needs to: 

  • Have at least 1 uppercase letter
  • Have at least 1 number
  • Have at least 8 unique characters

Really?! Have at least 8 unique characters?! Even my bank doesn't require this much complexity in a password. And we're talking about StackOverflow here -- a site that doesn't really store any valuable personal information like credit cards. 

Discouraged by having to invent a completely new password just for this site, I decided to
hit the "back" button on my browser and just sign in using my Facebook credentials. 

This seems like a brilliant tactic to get more users to sign in using 3rd party credentials. I wonder what percentage of SO users sign in using Facebook, and how this compares with others. 

EDIT: I was informed by someone at Stack Overflow that this in fact was not their intention at all. Futhermore, they don't use any of their user's Facebook profile data. I now realize it was a bit of a stretch to say that Stack Overflow engineered their UX in this manner.

Regardless, the strong password requirement DID convince me to sign in using my Facebook credentials, and I'm sure it will convince others as well. In conclusion, I think a very strong password could actually funnel users into signing in with 3rd party credentials.

I should also say that I'm not complaining about SO's strong password requirement. 

EDIT 2: I also didn't realize until now that Stack Exchange is an identty provider, in which case the strong password requirement completely makes sense. You shoud probabaly just disregard anything I said in this post, as I clearly didn't know what I'm talking about :)

10 responses
It's a pure case of being assholes, not a cunning trick.
If a website wanted to encourage users to login using other services, a much more civilized approach would be to just provide many services to pick from. E.g. Google Account, Facebook, OpenID. For example, I would not log-in with my facebook account because I consider it of minor importance, and therefore I'm not concerned about it's security, but on the other hand, I would gladly log in with Google.
If you're concerned about your privacy, you might want to black out your email address in that image.

Also, your blog asks me to sign in with Posterous or Twitter.

I would have thought the first hint that they didn't really want you making an account was the fact that they'll let you authenticate with:

Google Profile

OR you can create an account.

Impressive they've got three different versions of Google on there...

As a moderator of Stack Overflow, I can say the following:

First, the signup options for Stack Exchange do not strongly encourage one to sign in with Facebook. As a matter of fact, of the signin providers that are shown on first glance, Facebook is the last on that list (and there are others beyond that list).

Second, the password requirements are not an attempt to get you to use Facebook. Stack Exchange did not always provide accounts ^on^ Stack Exchange; it was stated that Stack Exchange didn't want to become an identity provider.

However, as the site grew, it had so many people that it made sense to become one. That said, they take the security of their accounts seriously (even if it could be argued that the information they store is trivial). Once you have a Stack Exchange account, you can use it on not just sites in the Stack Exchange network, but on *any* site that accepts signing in with an Open ID.

That's a tremendous amount of responsibility to bear, so they wanted to make sure it was done right.

That said, the requirements you see are there for your, and everyone else's benefit, if someone was to get a hold of your account because you had a weak password, then they could impersonate you *anywhere*.

Also, it should be said that the password requirements are not vastly different from the requirements that are enforced on *most* corporate Windows domains as well as what is commonly considered requirements for a strong password.

All that said, you *can* sign in with another account and link the two together (and even have the Facebook login removed). Just ask one of the moderators (flag for moderator attention) and we can help you with that.

We hope your experience on Stack Overflow is a positive one.

As a SE moderator and longtime reader of Jeff's blog I'm intrigued by this post. SE has always used OpenID as their primary identity provider for users, and this is still the case. Facebook login has only recently been added. What you are highlighting here is actually an attempt to create an OpenID registered through SO. You have lots of other options, such as google, Yahoo, or several other providers. This is not a plot by SE Inc to get you to sign up using Facebook, it's them trying to enforce some kind of security on the Internet equivalent of your driver's license.
For a place where developers go to learn best practices, SE has the worst profile/registration/login/whatever system in existence today. You can easily create dupe accounts, there's some ridiculous synchronization between properties, StackExchange is something separate and even more messy - I've never seen such mess, honest! If they want secure logins for those who care and made the mistake to use them as their OpenID identity (vs using something tons better such as MyOpenID, for example, or simply use their Google/Yahoo!), why didn't they do something truly secure such as a 2-factor authentication like Google, AWS, and so on?! I know they put a lot of effort to fancy up their reputation system, but more often they just make it unnecessarily hard for people to contribute.
1 visitor upvoted this post.