Twitter and Passwords

Over the last year or so, Twitter has become one of the most successful social networking sites on the web. One mark of its success is the rich ecosystem of other sites which feed off it. The best example is probably the Twitter search engine which started as a separate web site but was so successful that it was bought by Twitter and integrated into the main site.

There are many other sites that also provide tools to improve your Twitter experience. Unfortunately a large proportion of them encourage users to break one of the fundamental rules of internet security. Even more unfortunately, it seems that most users don’t understand internet security and the sites are therefore thriving when they should be ignored.

What is this basic rule of internet security that these sites are breaking? They are asking for your Twitter username and password.

Your password for any particular service should always be a secret between you and that service. No-one else should ever need it. In fact if you read my piece about basic password security from a few years ago, you’ll know that the service shouldn’t store the plain text version of your password. Only you should know that.

I don’t understand why people are so willing to give anyone their Twitter passwords. Well, I suppose I do. The services that are offered are so shiny. I’d love, for example, to use Twitterfeed. But I can’t because it requires me to give over my password to someone else.

It’s not that I don’t trust the owner of Twitterfeed to do the right thing. It’s that I know it’s completely impossible for him to store the password as securely as it should be stored. Think about it. Twitterfeed needs your password each time it posts something to Twitter under your name. That means that it can’t use the non-reversable encryption that a sensible service uses for storing passwords. At best they use a reversable encryption method. At worst they store it in plain text.

Clause 3 of the Twitter terms of use says:

You are responsible for keeping your password secure

If I give my password to another site, I can’t do that. I’m sharing the responsibility for keeping my password secure with other people.

There are, of course, other people who share my concerns. You’ll see the occasional debate on this subject on places like Get Satisfaction. But I’m amazed by the number of people who should know better but still use these systems. A few weeks ago, Charles Arthur (The Guardian’s technology editor) wrote a piece on this subject. He talked about a site called TwitterRank which gave you some meaningless statistics about your place in the Twitterverse in when you gave it your username and password. Charles rightly advised people not to give their password to random web sites. But I knew that he had written the article because his Twitterfeed account posted details to his Twitter stream. When I pointed out the irony in a comment he seemed to miss the point.

How many otherwise intelligent people do you know who use Twitterfeed? Or other systems like Ping.fm? Over the weekend, Robert Scoble praised a site called PeopleBrowsr on his blog without bothering to point that it would ask for your Twitter password and what a bad idea that might be.

There are two arguments that people seem to use to defend these kinds of service. The first is that “it’s only your Twitter password”. And that’s true of course. The world wouldn’t end if someone got my Twitter password and started to send messages pretending to be me. But by promoting this way of doing things, it becomes more likely that people will be less protective of their passwords. How many sites have you seen that offer to tell you if your friends are signed up if you give them your Gmail username and password?

The other argument I often here is that the services are really useful and that Twitter don’t support any other way of doing the things that these services want to do. Well, I don’t know about you, but if the only way to get access to a really cool service was to go against basic security practices, then I’m happy to do without the service.

Here’s an idea. I’ve got this service which will monitor your bank account and send you a monthly report of where your money is going and (this is the really cool bit) will suggest places where you can save money by switching to other suppliers. It will even take any spare money at the end of the month and put it into the best investments it can find. you just need to give me your internet banking login details. Interested? I thought not.

And yes, Twitter are partly to blame for this. There’s a standard protocol for dealing with situations like this – it’s called OAuth. Twitter have been promising to support it for some time, but it’s still not here. And, to be honest, with the number of people who are quite happy to use their current, broken, authorisation model, why would they care about doing things the right way?

So here are a couple of suggestions. If you’re a Twitter user and you find a really useful Twitter-addon that you want to use but which asks for your password then don’t use it. And write to the owners explaining why you won’t use their service. And if you’re running a service which currently interacts with Twitter using passwords, then stop doing it. Close down your service. Explain to both your users and Twitter that you have closed your service until you can reimplement it safely.

I don’t expect for one second that all services will close down or that all users will stop using existing services. But it would be good if enough people stopped using the service until Twitter took notice and started using OAuth.

Who’s with me?

Update: A post from the Twitter development team on December 2nd promises “a beta of OAuth support [ … ] ready for our first deploy in the next week or ten days”

5 comments

  1. Absolutely right. But first Twitter has to implement a more secure way for Apps to use Twitter on your behalf.

  2. Twitter might be bad, but the harm is relatively limited (apart from perhaps to your reputation), the really shocking thing is sites that ask for your Hotmail, y! or Google mail credentials to retrieve your address book and the number of people that actually go for it ….

  3. “Twitter has to implement a more secure way for Apps to use Twitter on your behalf.”

    There is a very secure way for using twitter apps. Seeing as your “profile page” on twitter is open for all (unless you mark it as private). I have no problems API-ing any and all tweets from non-private users using nothing but their username, and so should any service.

    “you just need to give me your internet banking login details. Interested? I thought not.”

    You’ll be surprised, look at http://www.mint.com/

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.