Wednesday, November 12, 2008

All Your Passwords Are Belong To Us

How much do you value your online identity? How often are you asked to share your login and password to a) find out your ranking b) locate your friends c) easily combine all of your feeds into one place.

I would bet that the answer to the first question is - fairly highly and the answer to the second question (if you are using social networking sites much at all) is fairly frequently. If I guessed your answers correctly then we have a problem.

Today twitter is a flurry about twitterank and the possibility that it was a twitter identity phishing site. Posts on mashable and zdnet talk about it in more detail. But calling the users gullible is really just ignoring the problem.

This problem doesn't just exist on twitter, and it doesn't just exist for people who want to rank themselves against others. The problem is that we have information, sometimes a lot of information, on many sites that we want to share with other sites.

As long as access to this information requires providing the login and password to a particular service to access that information people will continue to give out their login and password.

The truth is the services have trained us (beyond our natural tendencies) to give out that information by not implementing API's to allow access to the data in a more secure fashion.

The solution is not to be found by telling thousands of people to guard their password - that will not work. Rather the services need to implement APIs that allow the sharing of the information (and the revocation of the sharing of that information) that are as easy to use and as widely used as the "give me your login and password" solution that exists today.

Sure some features can be provided by third party tools - but (ahem, twitter are you listening) security actually needs to be implemented on a site by site basis.

There are some people who never share a login and psssword, but there are also people who still refuse to run AJAX. For the vast majority of the public there are at least some services that are critical enough to them to use that they need to share information between sites. It's time for web 2.0 to get to the next stage where there is a way to securely share that information.


PurpleCar said...

ROCK on, Goldie. Most twitter users and end users in general don't realize that there are other security options besides passwords. But one thing they do understand: laziness. Alternative security measures, right now, take a tiny bit more time and energy, so developers and site masters are l.a.z.y.

For now, share your passwords with apps, it's ok. Just keep unique ones for each app and change them sometimes. If you can't remember them all, write them down on an actual sheet of paper and keep it in a locked drawer.

Marti said...

Excellent suggestions. Your ideas are intelligent and well thought out - better than just saying "Be afraid".

Chel said...

Very few people like change. The change that we'd have to think twice about using our username and password on something that looks legit seems foreign because we trust companies wouldn't do that.

But with the lessons over this week we need to strongly consider where we put out information every time we're asked for it.

Realize that trust isn't instant and just because something has Twitter attached to it means that the guys behind the scenes have good motives.