On Sun, Jan 4, 2009 at 11:39 PM, Jesse Stay <jesses...@gmail.com> wrote: > We're on the verge of a full boycott by users on apps that take passwords. > Comments like this on ChrisBrogan.com keep me up at night. There's a > groundswell happening, and it doesn't look pretty. I know Twitter is working > on something, I just really hope it's soon. >
Honestly, most people (rightly or wrongly, i suspect rightly) don't really worry about it that much. I don't really think a boycott is likely to be effective. Also, the chrisbrogan.com post confuses phishing with risk of giving an evil service your password. They aren't really the same thing. For example, oauth type systems are generally considered to raise the risk of phishing happening (because they involve jumping the user all over the place to different sites) while at the same time (if implemented well) they can reduce the impact of a successful phish (by giving the user and the service more tools to control usage) They're also substantially more difficult to implement perfectly, raising the risk of code vulnerabilities. Lots of tradeoffs well worth discussing (it's certainly a teaching moment) but the level of run-in-circles-scream-and-shout is getting to the point of being unhelpful. -cks -- Christopher St. John http://artofsystems.blogspot.com
