On Jul 30, 7:40 pm, "Bradley S. O'Hearne" <brad.ohea...@gmail.com> wrote:
> 2. Passwords being stored locally. > Comment: The application integrating with Twitter is already > effectively "trusted", so the concern should not be with the app > itself. The concern here would be other apps or people being able to > grab passwords off of disk where stored. Again, I think this goes back > to encryption. If all credentials are encrypted locally, then again, > the concern becomes the breaking of encryption, and if that is done, > then again whatever app or session token represents the key to the > city can be acquired to use in OAuth too, if I'm not mistaken. Note that with basic auth it's perfectly possible to store only indirect security token too. Assume: application asks user for credentials, verifies them on the server, in response server issues unique indirect security token, application discards original credentials and stores token. This will depend on the application's "security culture", though. -- Dmitriy V'jukov