There’s a very interesting post on the MailChimp blog about why they feel that social media buttons aren’t worth it.
Like many people, the idea was to simplify the login process by allowing people to re-use their existing Facebook or Twitter accounts. In MailChimp’s case, this was to reduce the amount of failed login attempts that they were observing, and to improve the user experience as a result.
However, they found that very few people actually used these. The best way to reduce failed logins is to improve the error messages that people get, and to indicate specifically whether the user has supplied an incorrect username or password.
This flies in the face of accepted security best-practice, but the MailChimp team felt it was an overstated risk. They also felt that having multiple login options resulted in a confusing user experience, and there were concerns about placing security in the hands of another site.
I think that if a site can enforce ‘strong’ password requirements, then being more specific about what was wrong with the login attempt is a good idea. There are other techniques to stop account hacking (locking accounts after too many requests for instance), and the worst thing that an attacker is likely to get is the knowledge that apparently a person has their email address registered with the site.