Exposed: the great password scandal

The OAuth alternative

Indeed, it's such a common design pattern that it's often the only way developers consider for retrieving a list of contacts from your address book. But there are alternatives, the most lauded being OAuth. Alex Payne explains how it works for users authorising a third-party app with Twitter:

  • You download a new Twitter client.
  • You fire it up; it redirects you to
  • If you haven't already, sign in to Twitter.
  • If you trust the application, allow it to connect to your Twitter account.
  • Bounce back to your Twitter client, which is now ready to use.

Payne says: "The Twitter API started out with an authentication model that used a web standard, HTTP Basic Authentication and allowed developers to get started without much fuss. But now that the community has spoken out in favour of a token authentication system, we've provided one."

Payne continues: "Our beta testers reported it took minutes to get set up with OAuth. So unless you're developing on a platform that lacks high-quality OAuth client libraries, it should be very easy [for existing third-party apps] to make the transition."

Despite the fact that Twitter is embracing OAuth for third-party sites to access their data, it still asks for email usernames and passwords to get into users' webmail contact lists. Although Google, Yahoo and Microsoft all offer viable alternatives, there's no word from Twitter that it'll be changing its own bad practice on this front any time soon.

"[The need for] access to Google, Yahoo and Microsoft's web-based email services is used as justification for the majority of instances of this password anti-pattern," states Keith.

"Now that they all offer alternatives, the only reason for abusers not to switch to using the official APIs is development time and priority." OAuth is a step towards web users relearning the necessity of personal prudence and password hygiene.

My Name is E is upgrading each of its services to use OAuth, where it's available. "If the social network that we're integrating with supports OAuth, we now use OAuth for sure," Creten reassures us. "At the moment we have Twitter, YouTube, PICNIC, Soocial and Brightkite – they will all be transformed to OAuth services."

Developers would be wise to seek out OAuth and similar solutions for their projects; for too long we've been taking the perceived easy route of using the "password anti-pattern".

Users have become completely vulnerable to phishing attacks, which deliberately exploit the very same design pattern. They don't know any better: we've taught them not to question it, so we owe it to them to make amends.