- You're still submitting your password to an untrusted entity. As soon as they have it, they can: (a) change your password and lock you out of your account (b) attempt to use that password for other services you use as most people re-use their passwords
- IP address filtering is useless. The attacker just needs access to a botnet to flood you with requests.
Something OAuth-like is the only way forward: granting revocable, fine-grained access to whatever subset of operations is required for the service in question. Bonus points for being able to undo all operations of a certain type resulting from that third-party access. (i.e. 1-click undo of all DMs, tweets, etc.)
I don't get it. If you're worried about someone taking the user/password you gave them and being unscrupulous with it, exactly what does tracking IP addresses buy you? The thing you're most worried about is that they're going to sell every asshole on the Internet a DVD with usernames and passwords on it.
I say let users create a 128 bit UID that let's remote users Read / or Post messages from your account. Let people track what that UID did and you can smack down any issues.
The author misses the point that OAuth allows a site to interface with external servers WITHOUT having user credentials pass through a third party. Further, the technique described would not have prevented today's Twitter attacks. It would only prevent continual abuse from a single server. How hard is it for an enterprising young (or old) hacker to find another IP to use though?
How did this make it on to HN... The author of the article is clearly confused of the issue. More, who the hell cares... it is Twitter. If your are worried about some one ruining your good name by hacking your twitter account, you most certainly have more relevant personal issues to address. How was the article "techie" at all aside for name dropping and the author's self validation from "implementing" a similar auth API? burn:period:
Yes:
- You're still submitting your password to an untrusted entity. As soon as they have it, they can: (a) change your password and lock you out of your account (b) attempt to use that password for other services you use as most people re-use their passwords
- IP address filtering is useless. The attacker just needs access to a botnet to flood you with requests.
Something OAuth-like is the only way forward: granting revocable, fine-grained access to whatever subset of operations is required for the service in question. Bonus points for being able to undo all operations of a certain type resulting from that third-party access. (i.e. 1-click undo of all DMs, tweets, etc.)
I really hope they make this work soon.