On Jul 30, 7:40 pm, "Bradley S. O'Hearne" <brad.ohea...@gmail.com>

> 2. Passwords being stored locally.
> Comment: The application integrating with Twitter is already  
> effectively "trusted", so the concern should not be with the app  
> itself. The concern here would be other apps or people being able to  
> grab passwords off of disk where stored. Again, I think this goes back  
> to encryption. If all credentials are encrypted locally, then again,  
> the concern becomes the breaking of encryption, and if that is done,  
> then again whatever app or session token represents the key to the  
> city can be acquired to use in OAuth too, if I'm not mistaken.

Note that with basic auth it's perfectly possible to store only
indirect security token too. Assume: application asks user for
credentials, verifies them on the server, in response server issues
unique indirect security token, application discards original
credentials and stores token.
This will depend on the application's "security culture", though.

Dmitriy V'jukov

Reply via email to