You caught it, right? She believes she could use her Facebook user and password to log into this site. *sigh* It’s horrifying how easily a bad actor could build a honeypot to collect Facebook credentials.

In addition to confusion over when/where/how to log-in and log-out, we know that sites have big percentages of users with multiple accounts.

…

As much as your business case allows, use only one identity provider. If you’re using Facebook Connect, don’t have a standard log-in. Too often, two log-in systems are less than the sum of their parts.

I take the moral of the story to be: Don't use Facebook Connect.

Because anyone who uses Facebook Connect will only confuse users with a standard log-in.

And not everyone wants to use Facebook, so a standard log-in is a must-have.

Semil Shah led a good discussion about this a year ago:

http://pandawhale.com/post/1293/thoughts-on-third-party-sites-that-require-facebook-login

Social login buttons aren't worth it, says MailChimp:

http://pandawhale.com/post/6990/social-login-buttons-arent-worth-it-says-mailchimp