-
Website
http://mashable.com/ -
Original page
http://mashable.com/2009/01/01/is-it-stupid-to-trust-twitter-apps-with-your-password/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
Twitter needs to add some form of "read-only" access to their API so that you can grant read only access to these third party services. Ever better would be one-time key generation so each service can be given a unique read-only key that you can revoke if necessary.
At the least it would pay to keep track of all the Twitter services you sign up with, so if you need to change your password because one goes bad you can re-sign with the trusted onees again with your new password.
- Paul
@CraneFactory
i'm guessing not many.
you are giving out your password to any idiot on your network that can use ettercap every time you login.
Worse, what if they went into your profile and deleted your account? You'd lose all your followers, conversations, everything.
Different pain for different people but for big Twitter users I imagine that would really suck.
email address to give a response. But I give you the info because
you have established your presence and brand, and have been doing so for more
24hrs.
It does not always pay to jump at every new gadget offered. It makes "trust
agents" more important than ever, but also endangers the true value of twitter,
which is the ability to voice your thoughts and opinions and be heard by
everyone on reasonably equal terms.
Now the growing pains are starting to hurt the participants, which makes the
case that social media can hurt as much as help. In a way, it may ge good that
this happened so quickly so that tweeters can open their eyes and "corporate"
can focus on these shortcomings and provide a heads up if not a recommended
vendor list.
That said, trusting an application to store your information, especially a totally new starup is very questionable.
In a way Twitter is responsible for all the mess with Twply. I am truly amazed at how they are getting away
with this security hole. Its not like they have to invent something. Google, Yahoo, Facebook etc have implement secure third party accesses. Look to OpenID. It will take a week or less to implement a better authentication mechanism.
Twitter "Trust no one"
I just wrote, for fun...leaning the facebook connect API, a site that implements both and while the facebook stuff was a little much it just feels cleaner (in a its not dirty sense of the phrase)
fyi... http://pinggr.com ...both API's...facebook connect for login and status updates and twitter as one of the palces to send updates...
something unauthorized with your password or is selling out, change your password ASAP, and stop using "maggie" as the password for everything you do.
Simple brute force password crackers use text dictionaries to crack passwords and can be multi-loaded with any number of dictionaries including biographical names, fictional characters, foreign dictionaries etc. and easily set up to add numbers in varying combinations both before and after each.
I would never trust a third party Twitter app with access to any one of my 30 or so email accounts though - not for a minute. So my answer is maybe.
Perhaps Twitter users need to cool down, read what they so willing retweet, think about what they tweet, and carefully consider what Twitter apps, eRoi books, and bloggers they support.
to my email. I sign into twitter 3rd party apps and I don't care 95% of the time
because there is nothing valuable in my Twitter account. Realistically what are hackers going to do with my account? Nothing permanent for
sure.
What I would say is look beyond the login portion and evaluate what other
information is required by the organisation, some sites want your email address
and don't really have a good reason for it. If they don't have a good reason why
would they ask? Sites that require an email address are often being lazy in my
opinion, as there are ways of working around email.
Some above this comment are talking about OpenID and OAuth here but that is not
an answer in itself because OpenID will pass along your email address as will
OAuth so when they finally come to Twitter watch how many sites jump at the
chance to get your email address since they were unable to before that point the
issue was moot.
Just be smart and if you are not sure, Twitter is a community of friends so ask a
friend and see what their thoughts are. Lots of 3rd party sites are around pretty
much permanently so don't get in such a hurry that you sign up immediately upon
launch. IF you are one of those that has to be first then just have a dummy
account to try the service out for a while and talk to people (your twitter
community) about the site.
password across many sites from one place.
In order for just about any app/script to post/crosspost anything on your behalf, you
have to give them the rights to do that by giving the third party your details.
Twitter do not currently have a way of providing a way to do anything on your behalf withouth
using "username:password" in the call to the API.
It's all a question of trust at the end of the day.
Twitter do need to implement a secondary password/api key for this sort of thing though.
See how places like flickr/google/gdata/friendfeed etc do it.
I just means slightly more development to be done, which isn't as easy, but worth learning.
I discovered that a malicious 3rd party developer could have permanent access
to users' accounts by logging in once. Even if you change your password, they
can still get back in and lock you out!
unique and based on different languages, historical numbering systems and
a unique transformation algorithm I won't divulge, but to give you a general hint:
idea: study the Enigma system. Enigma was developed in a time computers did not exist.
exist. (THEREFORE?)these systems were more difficult to crack than computer
generated keys.
But to the question asked, yes it is stupid, but I still do it. The real stupidity is on us for not demanding a 3rd party auth (hello friendfeed, you do it right).
(if different with respect to the current one). In any case when you sell, you sell everything, and you don't
have to ask permission to users.
In general I discourage anybody to provide login data to 3rd party applications, especially web apps, where
login data necessarily transit on 3rd party servers before arriving to twitter.
The case of desktop applications is rather different. Apps like Posty or Tweetdeck send data directly to twitter servers.
In principle they could send data also to 3rd party servers, but this is easy discoverable and - if it were
the case somebody would have already alarmed users :)
Unfortunately we've few other options until Twitter offer OAuth or some similar alternative. I've absolutely no interest in the passwords of my users and would much rather not have to manage them at all. Unfortunately, due to Twitter's current setup, asking for passwords is the only option if you mean to provide access to their protected API methods.
As in most cases, education is the best resolution. It always bothers me to get emails from distant aquaintences to join some service I'm sure they just wrecklessly offered their email credentials to so the app can "help find their friends." It's a poor practice and would be useless if more people knew just how dangerous it is to share their private credentials - especially their email password!!
Then again, if the general public knew better, spam wouldn't exist.
1: http://mashable.com/2009/01/01/is-it-stupid-to-...
and use SQLlite for local data storage.
That way, devlopers can sleep easy knowing they're not having to bear the
responsibility of storing people's passwords and still deliver all the same
functionality - if not, more!
Users log in with their twitter username and password, so that we can grab their avatar.
(There isn't any other way to do it.)
I would hope that twitcrush users would approach 3rd party apps. the way I do. Investigate:
make sure it is a credible source, don't just blindly use it.
For more info about twitcrush:
http://arandproud.blogspot.com/2009/01/declare-...
with all the OAuth crap, and if an evil desktop app wants to be evil, then
it can do better evil things like install a keylogger rather than just post
spam to Twitter. Getting an OAuth token is nothing compared to local code.
If an app *wants* to use OAuth, well, ok, $DEITY bless them, but opening a
browser window to get credentials sucks.
Assuming twitcrush doesn't send tweets on behalf of its users I can't think of any reason such a service could not run without requiring passwords. Tweeter (#40) does allow it's users to post tweets through it so Mark's comment is perfectly valid.
Don't get me wrong, I want to see Twitter support OAuth as much as the next developer, but I feel quite strongly that the negative press that is being generated around this subject at the moment is as much developers fault as it is Twitters. I also think people need to remember that OAuth will only provide two benefits over passwords...
1) Apps that require passwords can maliciously change said passwords and effectively lock users out of their accounts. One hopes this won't be possible through the new OAuth-secured API.
2) Twitter and users will be able to revoke permission for individual applications to use their account without affecting the other applications and services in use.
There is a major downside to OAuth in that it's far easier to build a phishing scenario when a user has to be bounced off another site to authenticate. I don't know if Twitter are taking steps to limit this risk but it's worth noting because the general attitude across most coverage of this issue has been that OAuth will make Twitter secure. It won't - nothing can.
Yes, Twitcrush.com tweets for the users.
I'm sure we can all agree that we want our users to feel safe, secure and happy with their
Twitter web apps.
Thanks for all your comments!