Security researchers at Fortinet say a new trend among popular Web sites like Facebook may be teaching users the wrong lesson, causing them to unlearn what took years to teach them in the first place.

The rule of thumb for well-educated online users is to never, ever give out sensitive information, such as log-in credentials. That kind of information is the stuff of dreams for the growing phalanx of phishers and hackers hungry for user names, passwords, and other choice tidbits of online identities.

The problem is that a growing number of legitimate Web sites are asking users to hand over just this information, according to Steve Fossen, manager of threat research at Fortinet.

"There are a lot of sites out there asking for this information," he told InformationWeek. "It used to just be phishers and now we're seeing legitimate sites, like Facebook, doing it. People are giving them the information because they think it's convenient but it's just a bad idea."

Fossen explained that sites like Facebook ask for users' e-mail and IM login information so they, for example, can pick out their users' friends' addresses and set up their contact list for them. It saves users time.

Facebook could not be reached for comment.

The problem is that while Facebook may be on the up and up when it comes to going through users' contact lists, many other sites and individuals are not. And Fossen said it's just a bad idea to get into the habit of giving out that kind of information.

"Because people are getting used to doing this for legitimate sites, they're more apt to hand it out to phishers," he added. "It's not good to be handing out that information. You're no longer thinking about securing your information. I tend to think it's a scary trend."