Hacker News new | past | comments | ask | show | jobs | submit login
Stop Sharing Your Twitter Credentials (twitpay.me)
50 points by boorad on Dec 10, 2008 | hide | past | favorite | 33 comments



Twitter is currently trialling OAuth on its API which will be available as a beta soon http://apiwiki.twitter.com/REST+API+Documentation#Authentica...


1. Twitter users give any odd site their Twitter username and password. 2. Twitpay and Twitter now have the ability to pay other Twitter users via simple tweets.

So all someone has to do is create a Twitter-app that collects username and password for 10,000 users and randomly starts paying themselves. What could go wrong?


Well for one, Twitpay has checks in place to limit the amount that any one account can send or receive in a given time period.


Twitpay doesn't let you link it with a credit card or anything. You have to authorize the paypal payment anytime you want to add money to it, so the only money someone could take that way is the money you leave in your account.


I'm actually working on a twitter app that needs passwords that's soon to launch (http://tweetlinkmonster.com/ if you want to see. You can signup if you want, it works and is secure. I just want to polish before really launching.)

For now I take people's passwords (I don't have much choice. I need to get someone's friends timeline.)

I'll proably go ahead with that for now, but I'd love to do OAuth when Twitter releases it. But I'll probably go ahead with the current plan for now.

The issue is that there are many Twitter apps (mine, twitpic) that have no choice but to take passwords.

Twitpay can get away with it, but anything that needs to tweet for the user or get the user's tweets has no option until Twitter adds OAuth.


With every twitter account I feel like squatting on (and, oh , btw, yes everyone does it), I create a not-too-close gmail account for use with just that twiter account (for verification), and use that to test the 3rd party apps that "Must" have your twitter creds in order to work. What I have found, by trial and eror, is that over half of ALL the currently available (and some beta) 3rd party apps work PERFECTLY WITHOUT any signup or twitter cred. So why do THOSE particular 3rd party apps need the info? I doubt they need it for future growth of the app or "extra features" later.


Continue to share your twitter credentials with sites you trust, but stop once they implement OAuth.

Consider the rampant use of twitter clients. Should you stop using them? Stop trying new ones?

No.


You're sidestepping the point of the article. Ivan Kirigin is not going to get screwed over by a website that asks for his Twitter password. But my mom might, because it is extremely likely that one of these fly-by-night Twitter add-on apps will lose their database to some stupid SQLI bug. My mom almost certainly uses the same password for Twitter and Yahoo Mail.

Moreover, each app that asks for passwords for another service adds social proof that this is how we build applications. It isn't.


My comment is directed to this community.

I agree 100% that asking for passwords is a very bad practice, and users shouldn't be trained to do it. They should fix it immediately.

I suppose people could stick to twitter.com and sms - but to me, the defacto twitter world has clients. They are important. I want people to use them. Give your password to sites you trust, Mom.


The next blog post will be about how you can do almost everything without "being evil". There are other ways to get the information or behaviors you seek without requiring external logins. Twitter clients are entirely different animals as the credentials are stored individually in many different places (phones and pc's). Hackers look for large, easy targets, like a web site's database or server logs that contain lots of info, they don't do individual hacks by and large because the ROI is just not high enough. Not saying that its not a risk, just that the risk is MUCH smaller.


Im surprised no one has mentioned OpenID.

It has pretty much failed at this point, but it was sort of an attempt to fix this problem.


"since they don’t yet offer OAuth"

OAuth wouldn't solve the problem though, it'd just move it somewhere else.

Use a different login for each site - use a password manager.


That's a good point. OAuth would at least centralize the problem towards a more trusted source and limit the number of places the credentials would be stored. I trust Google or Facebook to have more safeguards in place than a webapp that popped up yesterday. As for password managers, I totally agree people should use them, but as a practical matter, most non-tech people do not.


You trust Google to control all your logins ;) I have a cautionary tale to tell about that one...


I cetainly don't trust them to control all my logins. But my level of trust for them is much higher than for most in terms of their ability to secure their databases and applications. I use different levels of passwords, depending on the type of site: nytimes.com < gmail.com < bankofamerica.com. I have tried to use password manager, and am currently trying one out on Safari, but the use of many computers makes it difficult.


I hope that gmail.com account isn't used for email password recovery for the bankofamerica.com account.


For a huge percentage of all Internet users, a Google or Yahoo compromise is game-over; they're going to lose their bank account, and then their social, and their identity (if they lose the lottery). So centralizing on Google or Yahoo is a sensible plan.

As for your cautionary tale, I'm pretty familiar with the players here, axod. Why don't you tell us?


Google shut off my account for a week and I lost access to everything google controls - adsense, adwords, gmail, google code, youtube, blogger, google apps, google for domains etc etc They shut it off because "Someone tried to log in to it unsuccessfully"

Probably for the average person though as you say, centralizing control is probably easiest until something like that happens to them.

Wouldn't an idea be to centralize this with your ISP? The ISP already knows who you are, seems like they would be a good authority on handling authentication to websites for you. (OK, doesn't work for when you're using some hotel wifi etc)


Few months ago, someone I know (nontechnical) lost their password on a public blog server. Unfortunately, like most people, they used the same password on their Yahoo mail account. Inside of a day, they:

* Got locked out of their Yahoo mail account for a week

* Lost their GoDaddy account, got locked out of it, and had it redirected to a gay porn site

* Lost their bank account, had thousands in fraudulent charges racked up, and got locked out of the account

* Had all their Yahoo mailing lists scrubbed, and each mailing list member (including his kids soccer team, which he ran) spammed with gay porn stuff

* Had his tax dox and personal mail dumped in public.

It sounds like your Google experience sucked. But I can think of worse things that can happen than a beaurocratic SNAFU. Let's not just hope that people will get smart about their passwords.


Wasn't this a targeted attack against a security blogger?


Yes. Under normal circumstances, the attackers would have silently harvested all the victim's accounts and sold them in Estonia.



I prefer https://www.grc.com/passwords.htm for my random password generation needs...


Seems like a spam account. Created 10 minutes ago to promote duckduckgo.com.


No, it's not. I built this special page into the search engine because I generate random usernames and passwords for every site I use, e.g. epi0Bauqu.

I was picking up a friend (Todd V., long time lurker) for lunch, and he showed me the post since he uses the pwgen feature as well. I didn't know my password by heart, so he finally created an account and made the post.


I apologize then for the accusation, but for the sake of submitting better comments an explanation (even what you just wrote) would be much better than just submitting a link with no further rationale for submission.


Agreed. Perhaps I should have written it for him :)

Still not sure why it is getting voted down to -1 though, now that an explanation is under it.


Agreed on the password manager. I've got 1Password in Safari, and the "Generate Password" option is so easily available it becomes second nature.


Sounds like that would make it much harder to switch browsers...


Speaking only of 1Password, they have plugins for most, that share the same database. Also syncs to my iPhone.


That's why I use SuperGenPass, it works on every browser, it's open source (it's Javascript) it's handy and it even works on my phone. I've got a different password for almost every site now and I don't even have to know them.


Only a tiny fraction of users are ever going to find out what a password manager is, so you really haven't addressed the article's point.


this was a really, really foolish post in my opinion. you want to build your business on how users really act, not rant at them for acting differently than you expected.

besides, it just shows how bankrupt passwords are. we use the same mechanism online to protect our bank accounts and our most meaningless babble. that's just trouble waiting to happen.

building a business on that is like a building a house on the San Andreas faultline and then filling it with priceless Ming vases. it might be fun, might look nice, but it's not exactly strategic.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: