

Stop Sharing Your Twitter Credentials - boorad
http://blog.twitpay.me/2008/12/10/stop-sharing-your-twitter-credentials/

======
chime
1\. Twitter users give any odd site their Twitter username and password. 2\.
Twitpay and Twitter now have the ability to pay other Twitter users via simple
tweets.

So all someone has to do is create a Twitter-app that collects username and
password for 10,000 users and randomly starts paying themselves. What could go
wrong?

~~~
dbrown26
Well for one, Twitpay has checks in place to limit the amount that any one
account can send or receive in a given time period.

------
danw
Twitter is currently trialling OAuth on its API which will be available as a
beta soon
[http://apiwiki.twitter.com/REST+API+Documentation#Authentica...](http://apiwiki.twitter.com/REST+API+Documentation#Authentication)

------
jackowayed
I'm actually working on a twitter app that needs passwords that's soon to
launch (<http://tweetlinkmonster.com/> if you want to see. You can signup if
you want, it works and is secure. I just want to polish before really
launching.)

For now I take people's passwords (I don't have much choice. I need to get
someone's friends timeline.)

I'll proably go ahead with that for now, but I'd love to do OAuth when Twitter
releases it. But I'll probably go ahead with the current plan for now.

The issue is that there are many Twitter apps (mine, twitpic) that have no
choice but to take passwords.

Twitpay can get away with it, but anything that needs to tweet for the user or
get the user's tweets has no option until Twitter adds OAuth.

------
phunk
With every twitter account I feel like squatting on (and, oh , btw, yes
everyone does it), I create a not-too-close gmail account for use with just
that twiter account (for verification), and use that to test the 3rd party
apps that "Must" have your twitter creds in order to work. What I have found,
by trial and eror, is that over half of ALL the currently available (and some
beta) 3rd party apps work PERFECTLY WITHOUT any signup or twitter cred. So why
do THOSE particular 3rd party apps need the info? I doubt they need it for
future growth of the app or "extra features" later.

------
ivankirigin
Continue to share your twitter credentials with sites you trust, but stop once
they implement OAuth.

Consider the rampant use of twitter clients. Should you stop using them? Stop
trying new ones?

No.

~~~
tptacek
You're sidestepping the point of the article. Ivan Kirigin is not going to get
screwed over by a website that asks for his Twitter password. But my mom
might, because it is extremely likely that one of these fly-by-night Twitter
add-on apps will lose their database to some stupid SQLI bug. My mom almost
certainly uses the same password for Twitter and Yahoo Mail.

Moreover, each app that asks for passwords for another service adds social
proof that this is how we build applications. It isn't.

~~~
ivankirigin
My comment is directed to this community.

I agree 100% that asking for passwords is a very bad practice, and users
shouldn't be trained to do it. They should fix it immediately.

I suppose people could stick to twitter.com and sms - but to me, the defacto
twitter world has clients. They are important. I want people to use them. Give
your password to sites you trust, Mom.

~~~
dbrown26
The next blog post will be about how you can do almost everything without
"being evil". There are other ways to get the information or behaviors you
seek without requiring external logins. Twitter clients are entirely different
animals as the credentials are stored individually in many different places
(phones and pc's). Hackers look for large, easy targets, like a web site's
database or server logs that contain lots of info, they don't do individual
hacks by and large because the ROI is just not high enough. Not saying that
its not a risk, just that the risk is MUCH smaller.

------
dcurtis
Im surprised no one has mentioned OpenID.

It has pretty much failed at this point, but it was sort of an attempt to fix
this problem.

------
axod
"since they don’t yet offer OAuth"

OAuth wouldn't solve the problem though, it'd just move it somewhere else.

Use a different login for each site - use a password manager.

~~~
tav
<http://duckduckgo.com/?q=pw>

~~~
notdarkyet
Seems like a spam account. Created 10 minutes ago to promote duckduckgo.com.

~~~
epi0Bauqu
No, it's not. I built this special page into the search engine because I
generate random usernames and passwords for every site I use, e.g. epi0Bauqu.

I was picking up a friend (Todd V., long time lurker) for lunch, and he showed
me the post since he uses the pwgen feature as well. I didn't know my password
by heart, so he finally created an account and made the post.

~~~
notdarkyet
I apologize then for the accusation, but for the sake of submitting better
comments an explanation (even what you just wrote) would be much better than
just submitting a link with no further rationale for submission.

~~~
epi0Bauqu
Agreed. Perhaps I should have written it for him :)

Still not sure why it is getting voted down to -1 though, now that an
explanation is under it.

------
giles_bowkett
this was a really, really foolish post in my opinion. you want to build your
business on how users really act, not rant at them for acting differently than
you expected.

besides, it just shows how bankrupt passwords are. we use the same mechanism
online to protect our bank accounts and our most meaningless babble. that's
just trouble waiting to happen.

building a business on that is like a building a house on the San Andreas
faultline and then filling it with priceless Ming vases. it might be fun,
might look nice, but it's not exactly strategic.

