It's time to fight the password anti-pattern! - mrtopf.demrtopf.de

It’s time to fight the password anti-pattern!

Password Anti-Pattern

As Elias points out in this post over at the DataPortability Project’s Blog, it’s time to fight the password anti-pattern!

Look at twitter and their recent problems with hacked accounts and you know why. And one way to do it would be to e.g. use OAuth, which Twitter still does not implement although AFAIK they are one of the parties involved in creating that standard. Of course it will not solve all problems but the fact is that the more you spread your password over all sorts of services, the more likely it is that somebody with bad intents will be able to use it!

Gladly Twitter made another commitment yesterday to embrace OAuth and start a closed beta OAuth program this month, which is great (and hopefully coming soon). I hope this will really happen because they talked about OAuth some time before. Of course back then many things happened (like Twitter becoming successful) which shifted priorities but nevertheless it’s time now to concentrate on a better API authorization!

I for now will refrain from using any additional Twitter services until OAuth is in place! And btw, where is the line between phishing and a bad site asking for your twitter password for their service?

2 Kommentare » Schreibe einen Kommentar

  1. Great post, Christian!

    …OAuth by itself is not the answer – but it is an important part of the solution. Ultimately the solution involves technologies such as OAuth and OpenID, but it also requires a mindset, commitment, and acceptance of responsibility in proactively keeping the rights of users always in the forefront…

    [read the full response…]

  2. Right, OAuth itself is not the answer and the recent attacks also had nothing to do with having OAuth or not (as I assume not all the celebs use too many external apps). Moreover if http://blog.wired.com/27bstroke6/2009/01/professe… is true, then they should have other things to do as well, like training their staff to use proper passwords.

    But of course without OAuth a Phishing scam is much easier to do because people are used to be asked for their twitter password. If they wouldn't be used to that (and now if course it's hard to get this out of people's heads) phishing should be at least a little bit harder. Moreover it would prevent from bad sites or tools collecting your password.

    What is also means is probably to educate users and IMHO all those websites out there could do a much better job at that.