There are many twitter applications and new ones keep appearing every day.
Many of these applications expect you to log in to with twitter name and
password. They all assure you that it is a one-time verification only, that they
do not store your password, that their service is safe, etcetera. Most of these
services are above board, but it is wrong to assume all of these services can be
trusted on their reassuring FAQ page.
You should never hand your password to a third party. You should never hand
your password to the first party either. You should never hand out your password
to anyone.
There are no exceptions. When you trust someone with your password, you do so at
your risk.
That sounds fine in principle, but what to do when you really want to try the
latest and greatest twitter application? Well, if you are Joe Average, you cave and
hand them the keys to your twitter throne.
After all, what harm could it do? Why would anyone want your twitter
password? What could they possibly do with it? Well, send out bogus messages in
your name, of course. It has happened already, and it may happen again.
I am sorry to say it, but Twitter has not shown much forethought, or in fact in any thought at all when it comes to security, so I will not be surprised if Twitter is cracked again. Twitter needs to improve, but that does not absolve you or me from our own responsibilities. We should not be handing our my twitter credentials to anyone who asks.
Most crooks are not interested in posting messages using your name, but still want your Twitter password. That is because many people still use the same name and password for all their accounts. Thus, a bunch of Twitter passwords at can be used to gain access to many email accounts, which in turn are likely to contain sensitive information they can use for their crooked schemes.
If you hear about another service that does the same thing, but does not require a password, switch.
An approach many users are taking is handing over their password to anyone who
asks.
Heck, I should start some mythical twitter service, and allow beta
signups, just to see how many willingly hand over their credential without
even knowing a thing about what they are signing up for…
The most secure approach to this problem is to not use any of the twitter applications. This is very secure, but denies you access to many otherwise interesting applications.
One very practical approach is to choose the competing service that does not
require your passwords. Why bother with Tweeple Pages, when Omnee does not
require a password?
This is definitely the preferred approach. If you hear about another service
that does the same thing, but does not require a password, switch.
Yet another approach is to change your password every time you used one of these services. Again, not very practical. You’ll be needing to come up with and remember your new password way too frequently.
I am using a two passwords approach. I have one password for regular twitter access, and another one for those services. Every time I want to use one of those, I first change my password, then use it, then change it back.
It is a small hassle and it not completely safe, but it is a lot safer than handing them your normal password. You are still at risk during the period that they know your password, but at least it is a short period. Moreover, you are online during that period and likely to notice any suspect activity.
That the two-password system works at all is because Twitter allows you to change your password back to your previous password. Many systems do not allow you to reuse the last few passwords you used, and neither should Twitter, but right now, that particular shortcoming in their security allows this two-password system.
Twitter could take this two-password approach and make it their actual system by letting all us of have two
password; one password for ourselves, which grants full access, and one password
for third-party services, that grants read-only access, without any rights to
post or modify anything.
That is not to hard to implement, and would alleviate many security concerns.
The real solution is for twitter to allow third party applications access to
your account in a way that you control and without sharing your password with
them.
Twitter is going to do just that. An official Twitter blog post made in January,
about the embarrassing script-kiddie crack of Twitter, notes that Twitter is
working to implement OAuth - Open Authentication. That will solve
the problem.
Until Twitter has implemented OAuth, the two passwords approach is relatively simple and mostly safe way to enjoy the many twitter services that demand your password.
don’t get me wrong. I am not saying this is completely safe, just that it a lot safer than just handing over your password to all services that ask. The best approach remains to either not use a service or switch to a competing one that works without having to hand over your password.
Many users eager to inflate their follower count signed up for TweepMe, giving their password to an unknown third party; New article discusses TweepMe, including how this Two Passwords Twitter Tip fits in.
Omnee seems to have ceased operation. The broken link has been removed.
Copyright © Tamura Jones. All Rights reserved.