Comments on: Twitter and the Password Anti-Pattern http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/ This can all be made better. Ready? Begin. Tue, 16 Mar 2010 16:24:43 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Identity, relationships and why OAuth and OpenID matter « Derivadow.com http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103556 Identity, relationships and why OAuth and OpenID matter « Derivadow.com Thu, 08 Jan 2009 15:17:06 +0000 http://factoryjoe.com/blog/?p=1092#comment-103556 [...] aren’t trying to do anything malicious – far from it — as Chris Messina explains: The difference between run-of-the-mill phishing and password anti-pattern cases is intent. Most [...] [...] aren’t trying to do anything malicious – far from it — as Chris Messina explains: The difference between run-of-the-mill phishing and password anti-pattern cases is intent. Most [...]

]]> By: Twitter Security Fiesta Post-Mortem | Startup Security http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103541 Twitter Security Fiesta Post-Mortem | Startup Security Tue, 06 Jan 2009 19:20:52 +0000 http://factoryjoe.com/blog/?p=1092#comment-103541 [...] can wade through the various misconceptions. Chris Messina actually has a fantastic blog post on password usage and Twitter. Unfortunately, there is still the misconception that OAuth would have fixed this and prevented the [...] [...] can wade through the various misconceptions. Chris Messina actually has a fantastic blog post on password usage and Twitter. Unfortunately, there is still the misconception that OAuth would have fixed this and prevented the [...]

]]> By: OAuth for Twitter now! http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103535 OAuth for Twitter now! Tue, 06 Jan 2009 15:16:50 +0000 http://factoryjoe.com/blog/?p=1092#comment-103535 [...] application need a reliable and useful authentication-mechanism as well. As Chris Messina puts it: Everyone’s got their priorities and Twitter has come a long way in the past several months in [...] [...] application need a reliable and useful authentication-mechanism as well. As Chris Messina puts it: Everyone’s got their priorities and Twitter has come a long way in the past several months in [...]

]]> By: Let's kill the password anti-pattern before the next web cycle » By Elias Bizannes » article » Liako.Biz http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103514 Let's kill the password anti-pattern before the next web cycle » By Elias Bizannes » article » Liako.Biz Tue, 06 Jan 2009 00:40:51 +0000 http://factoryjoe.com/blog/?p=1092#comment-103514 [...] by Chris Messina, I would like to see us all agree on making 2009 the year we kill the password anti-pattern. [...] [...] by Chris Messina, I would like to see us all agree on making 2009 the year we kill the password anti-pattern. [...]

]]> By: buildblog | Berühmte Twitter Accounts gehackt http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103503 buildblog | Berühmte Twitter Accounts gehackt Mon, 05 Jan 2009 20:30:28 +0000 http://factoryjoe.com/blog/?p=1092#comment-103503 [...] sie auch nicht gehackt, sondern jemand ganz anderes. Immerhin verwendet Twitter seit Ewigkeiten das Anti-Pattern der Authentifzierung schlechthin… Tags: Password. hacking, Twitter, [...] [...] sie auch nicht gehackt, sondern jemand ganz anderes. Immerhin verwendet Twitter seit Ewigkeiten das Anti-Pattern der Authentifzierung schlechthin… Tags: Password. hacking, Twitter, [...]

]]> By: Network Security Blog » Four information points on Twitter phishing http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103498 Network Security Blog » Four information points on Twitter phishing Mon, 05 Jan 2009 16:22:18 +0000 http://factoryjoe.com/blog/?p=1092#comment-103498 [...] Twitter and the Password anti-pattern - I’ve only gotten about half way through this paper, but I like the ideas I’m reading.  This is basically an argument for taking Twitter beyond username/password and adding in functionality that would allow you to share some of your capabilities as a user with a third party.   [...] [...] Twitter and the Password anti-pattern – I’ve only gotten about half way through this paper, but I like the ideas I’m reading.  This is basically an argument for taking Twitter beyond username/password and adding in functionality that would allow you to share some of your capabilities as a user with a third party.   [...]

]]> By: Perception and reality in the land of OpenID | FactoryCity http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103465 Perception and reality in the land of OpenID | FactoryCity Sun, 04 Jan 2009 23:11:43 +0000 http://factoryjoe.com/blog/?p=1092#comment-103465 [...] FactoryCity This can all be made better. Ready? Begin. Skip to content AboutArchivesTagsProjectsLinksScreenshotsContact « Twitter and the Password Anti-Pattern [...] [...] FactoryCity This can all be made better. Ready? Begin. Skip to content AboutArchivesTagsProjectsLinksScreenshotsContact « Twitter and the Password Anti-Pattern [...]

]]> By: Twitter and Facebook hit by phishing attacks | Technology | guardian.co.uk http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103459 Twitter and Facebook hit by phishing attacks | Technology | guardian.co.uk Sun, 04 Jan 2009 20:43:03 +0000 http://factoryjoe.com/blog/?p=1092#comment-103459 [...] Chris Messina and others have pointed out, Twitter ought to support a mechanism such as OAuth for “delegated authentication”, and [...] [...] Chris Messina and others have pointed out, Twitter ought to support a mechanism such as OAuth for “delegated authentication”, and [...]

]]> By: Chris Messina http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103435 Chris Messina Sun, 04 Jan 2009 03:33:21 +0000 http://factoryjoe.com/blog/?p=1092#comment-103435 The irony, Tom, is that Twitter titled their post "Don't Share Your Secret Info!" and yet that's the only way that you can use third-party apps, which Twitter clearly promotes. If Twitter says "don't share your secret info" but don't provide a way to still make use of third party apps, it's ironic because we've been saying that all along. I think it's time for your mom to send you to your room. You need to study more. The irony, Tom, is that Twitter titled their post “Don’t Share Your Secret Info!” and yet that’s the only way that you can use third-party apps, which Twitter clearly promotes. If Twitter says “don’t share your secret info” but don’t provide a way to still make use of third party apps, it’s ironic because we’ve been saying that all along.

I think it’s time for your mom to send you to your room. You need to study more.

]]> By: Joe Cascio http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/comment-page-1/#comment-103434 Joe Cascio Sun, 04 Jan 2009 03:23:55 +0000 http://factoryjoe.com/blog/?p=1092#comment-103434 I don't buy the "developers would have a lot of trouble understanding it" argument. Yes, it's more involved than Simple Authentication but I was able to implement a web app client using the Flickr and Google authorization mechanisms in a few days, and that was using a new language and a new web framework in the bargain. Once you see how one works, it becomes a lot easier to understand the others as they all work on the same basic strategy. Also, there are open-source client libraries in many languages that simplify the developers job. Although quite frankly, I wrote the Google auth code making straight HTTP calls. I can't imagine OAuth is that much more complicated. I think the larger issue here is that Twitter has a moral obligation to at least try to provide whatever protection it can to its users' identities. The argument of "if you don't like it don't use it" is simply cavalier. People are using this service for more than just talking about what they had for breakfast. Twitter has a responsibility to their users and they ought to step up and fulfill it. I don’t buy the “developers would have a lot of trouble understanding it” argument. Yes, it’s more involved than Simple Authentication but I was able to implement a web app client using the Flickr and Google authorization mechanisms in a few days, and that was using a new language and a new web framework in the bargain. Once you see how one works, it becomes a lot easier to understand the others as they all work on the same basic strategy. Also, there are open-source client libraries in many languages that simplify the developers job. Although quite frankly, I wrote the Google auth code making straight HTTP calls. I can’t imagine OAuth is that much more complicated.

I think the larger issue here is that Twitter has a moral obligation to at least try to provide whatever protection it can to its users’ identities. The argument of “if you don’t like it don’t use it” is simply cavalier. People are using this service for more than just talking about what they had for breakfast. Twitter has a responsibility to their users and they ought to step up and fulfill it.

]]>