OpEd- Word to the AI Wise: Add a password and security key to ChatGPT

OpEd- Word to the AI Wise: Add a password and security key to ChatGPT

Mon, 03/09/2026

EDITORS NOTE: Local West Seattle Mediator and Attorney Liz Steen is also a very capable technology user. As such she often uses various AI tools and other accounts interchangably as necessary. But as she discovered, that can lead to problems.

By Liz Steen

"OAUTH permissions" can be confusing. When you sign into Claude, Perplexity, or ChatGPT, the pop up says “Do you want to use open.ai to sign in?” Below the options are “Continue with Apple” “Continue with Google” “Sign up” or “log in.”

Most of us click Google or Apple, enter our account password, and move on to chat. Every time you sign into Chat GPT after, the log in will flash with Google or Apple, indicating no you’ve used OAUTH to log into your account. On which you have a password and other security protocols. It all seems perfectly safe. Every once in a while you’ll even be asked to add your Google or Apple password. It feels secure.

I used Apple. I assumed that meant someone could only sign into my ChatGPT if they had my Apple password. I downloaded the app on my phone and felt fine about that… I was so wrong.

I need a password to log into my Apple. And my Apple is linked to ChatGPT. But ChatGPT accounts do not automatically have a password anywhere in that onboarding flow.

You have to get into ChatGPT settings to add a password to your ChatGPT. If you don’t, your ChatGPT is just an account without a password. A password-less account, with no security whatsoever, that is also linked via OAUTH to your most personal anccount. Apple, with the “save password for this site” feature that conveniently stores all your logins in one account. Or Google, with the “log in with Google” feature enabled on every other account you own - Pinterest, Adobe, Roblox (which your kid uses).

Your quick-and-easy log in opened up a maze of connected experiences. Your accounts are now one or two degrees of separation away from a password-free app that you keep open all the time to ask things like “what can I make for dinner with potatoes and chicken thighs.”

Each log in looks like “you” to the computer. An attacker can be in, and then out, in ten minutes. During that time the attacker could set up their own Adobe or Pinterest account connected with OAUTH permissions for automatic log into your Google or Apple account. You can revoke third-party app permissions in Google or Apple. But you can’t revoke permission from the attacker’s account. Only your own.

That means you’ll never know who’s logging in as “you.” All the unauthorized logins will be “you” to Google.

if you have any AI accounts open the settings app right now. Add a password, and ideally a passkey such as Yubikey or other device. Reset your security settings on every account. And cross your fingers and hope you added that password before someone else got in.

Robinson Papers