If you're storing the password securely and only using HTTPS, I'd say you're doing right by your users. In the absence of OAuth, that's basically best practice. It's also a pattern that's been deemed adequate by companies like Amazon, who collect and store financial information from their customers.
Christopher St John's comments above accurately reflect my own concerns. OAuth is not a security magic bullet, and it only encourages phishing attacks. I feel bad for users that have given their credentials to a phishing site, and we'll do everything we can to educate them, but token-based authentication systems are not going to fix this particular security problem. Getting worked up into hysterics about boycotts is just, as security expert Bruce Schenier is fond of saying, "security theater". It's the equivalent of an apartment building's tenants telling their landlord they refuse to use keys because someone's place got broken into. On Sun, Jan 4, 2009 at 22:07, Dale Merrick <theunstable...@gmail.com> wrote: > > I've been lurking on this list for a while. It's a nice resource for > Twitter development. I'm currently working on my own desktop Twitter app. > However I have apparently missed something on this list. > > What exactly is wrong with an application (for Mac OS X in this case) asking > for a user's Twitter user name and password. Storing the password in the OS > X Keychain isn't hard at all and it is encrypted. > > Have I really missed something important? Does this "fever" about apps > asking for passwords apply to desktop and web apps, or just web apps? I'd > really like to know whether or not my application would suddenly become > "evil" because it asked for an account password. And yes, my app does > inform the user that the password will be stored in the Keychain and it uses > HTTPS when talking to the Twitter servers. > > Reply on list or off list, which ever works best for you. > > Dale > > On Jan 4, 2009, at 11:59 PM, Christopher St John wrote: > >> >> On Sun, Jan 4, 2009 at 11:39 PM, Jesse Stay <jesses...@gmail.com> wrote: >>> >>> We're on the verge of a full boycott by users on apps that take >>> passwords. >>> Comments like this on ChrisBrogan.com keep me up at night. There's a >>> groundswell happening, and it doesn't look pretty. I know Twitter is >>> working >>> on something, I just really hope it's soon. >>> >> >> Honestly, most people (rightly or wrongly, i suspect rightly) >> don't really worry about it that much. I don't really think a >> boycott is likely to be effective. >> >> Also, the chrisbrogan.com post confuses phishing with risk of >> giving an evil service your password. They aren't really the same >> thing. >> >> For example, oauth type systems are generally considered to >> raise the risk of phishing happening (because they involve >> jumping the user all over the place to different sites) while at >> the same time (if implemented well) they can reduce the impact >> of a successful phish (by giving the user and the service more >> tools to control usage) They're also substantially more difficult to >> implement perfectly, raising the risk of code vulnerabilities. >> >> Lots of tradeoffs well worth discussing (it's certainly a teaching >> moment) but the level of run-in-circles-scream-and-shout is getting >> to the point of being unhelpful. >> >> -cks >> >> -- >> Christopher St. John >> http://artofsystems.blogspot.com > > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
