Stop Sharing Your Twitter Credentials(blog.twitpay.me) |
Stop Sharing Your Twitter Credentials(blog.twitpay.me) |
So all someone has to do is create a Twitter-app that collects username and password for 10,000 users and randomly starts paying themselves. What could go wrong?
For now I take people's passwords (I don't have much choice. I need to get someone's friends timeline.)
I'll proably go ahead with that for now, but I'd love to do OAuth when Twitter releases it. But I'll probably go ahead with the current plan for now.
The issue is that there are many Twitter apps (mine, twitpic) that have no choice but to take passwords.
Twitpay can get away with it, but anything that needs to tweet for the user or get the user's tweets has no option until Twitter adds OAuth.
Consider the rampant use of twitter clients. Should you stop using them? Stop trying new ones?
No.
Moreover, each app that asks for passwords for another service adds social proof that this is how we build applications. It isn't.
I agree 100% that asking for passwords is a very bad practice, and users shouldn't be trained to do it. They should fix it immediately.
I suppose people could stick to twitter.com and sms - but to me, the defacto twitter world has clients. They are important. I want people to use them. Give your password to sites you trust, Mom.
It has pretty much failed at this point, but it was sort of an attempt to fix this problem.
OAuth wouldn't solve the problem though, it'd just move it somewhere else.
Use a different login for each site - use a password manager.
besides, it just shows how bankrupt passwords are. we use the same mechanism online to protect our bank accounts and our most meaningless babble. that's just trouble waiting to happen.
building a business on that is like a building a house on the San Andreas faultline and then filling it with priceless Ming vases. it might be fun, might look nice, but it's not exactly strategic.
I was picking up a friend (Todd V., long time lurker) for lunch, and he showed me the post since he uses the pwgen feature as well. I didn't know my password by heart, so he finally created an account and made the post.
Still not sure why it is getting voted down to -1 though, now that an explanation is under it.
As for your cautionary tale, I'm pretty familiar with the players here, axod. Why don't you tell us?
Probably for the average person though as you say, centralizing control is probably easiest until something like that happens to them.
Wouldn't an idea be to centralize this with your ISP? The ISP already knows who you are, seems like they would be a good authority on handling authentication to websites for you. (OK, doesn't work for when you're using some hotel wifi etc)
* Got locked out of their Yahoo mail account for a week
* Lost their GoDaddy account, got locked out of it, and had it redirected to a gay porn site
* Lost their bank account, had thousands in fraudulent charges racked up, and got locked out of the account
* Had all their Yahoo mailing lists scrubbed, and each mailing list member (including his kids soccer team, which he ran) spammed with gay porn stuff
* Had his tax dox and personal mail dumped in public.
It sounds like your Google experience sucked. But I can think of worse things that can happen than a beaurocratic SNAFU. Let's not just hope that people will get smart about their passwords.