Monday, January 05, 2009

Demand That the Services You Use On the Web Give You Data Portability in a Secure Way

No comments :
Lots of chatter today about Twitter's Monday Morning Madness via Techmeme because over the last 78 hours multiple Twitter users were compromised multiple times, first with a Phishing scam and then an actual compromise of some high profile accounts (including Obama's twitter account).

Elias Bizannes a fellow colleague in the DataPortability Project has written a very well thought out and detailed post over on the official DataPortability Blog titled "Time To Criminalize The Password Anti-pattern" that i recommend you read to understand the issue and the recommended solutions that Twitter among many other sites you are probably using should follow.

Once you give a site your password to make your data portable from one site to another, that site now has your password forever and it's valid until you change it- even if the site claims they don't keep the password once they pull the data that you have 'authorized'- somewhere in some log file the password associated with our username is recorded and if someone wanted to get to it that probably could.

So before you use a service that is asking for your actual password to pull data, think about it and then demand that the service gives you data portability in a Secure Way by using open protocols like OAuth to secure authorization of data between services. (something that Twitter has come out and said they will be releasing in Beta this month)

This picture on Flickr by Richard Parmiter says it all: giving sites your password in order to pull data from one site to another is like loaning your underpants to strangers. Don't do it.

No comments :