
And Twitter Goes Down Again - Anon84
http://www.washingtonpost.com/wp-dyn/content/article/2009/02/11/AR2009021100753.html
======
jgrahamc
"yes, it asks for your user name and password and no, we won't do anything
wrong with it"

But you'll store it right? And that means if someone breaks into your database
they've got my password for Twitter.

This sites that ask for a password are dangerous. Suppose the Twitter does a
really great job of salted hashing of passwords so that it wouldn't matter if
someone broke into the Twitter database.

Then along comes a third-party service that needs to integrate with Twitter
and so asks for my password. All the good work done by Twitter on password
security is gone.

But from the public's perspective there's no difference between the two. Both
seem to need to know the password, one creates security risk, the other
doesn't.

The only solution to this problem is that Twitter provide an authentication
service for its users.

~~~
katamole
But they say they take password security "extremely seriously".

What could possibly go wrong?

~~~
jgrahamc
You are correct, what could possibly go wrong?

Oh wait, they take password security so seriously that the login form which
sends my Twitter username and password does so over HTTP and not HTTPS!
Hooray, my password goes across the wire in plain text.

~~~
wallflower
It's not advertised because mass use would take down their servers but someone
on HN pointed this out (even your tweets will be encrypted [at least until
they are globally published]:

<https://twitter.com>

~~~
jgrahamc
No, I'm talking about Twiddict. Even if you hit <http://twitter.com/> they do
the password authentication over https. Twiddict does not.

~~~
wallflower
OK. Didn't read clearly. OAuth will be rolled out eventually.

