It's probably more likely that you would give your password to a malicious
site (of course, one masquerading as a legitimate client) that would store
it and use it than someone stealing your device. Moreover, many
less-than-savvy users tend to use the same password for many accounts,
including accounts containing very sensitive information.
On Mon, Oct 12, 2009 at 20:36, Brian Smith <br...@briansmith.org> wrote:
> Letting a mobile/desktop app grab an OAuth token using the user’s
> username/password is still helpful because then they can store the token
> instead of the username/password, which is a big deal when there’s no really
> secure way to store it. Also, if your mobile phone/laptop gets stolen, you
> can still log in via the Twitter website and revoke access from the apps
> installed on your phone/laptop. If the app just used basic auth then the
> only way to revoke access would be to change your password. But, whoever
> stole your phone/laptop could have changed your password first (if the app
> was using Basic auth), and you’re locked out of your account.
> So, a way to log in with basic auth and grab a OAuth token would can still
> be useful.
> JDG wrote:
> But it completely subverts the point of OAuth, because it lets a third
> party have your password. Why even use OAuth in that case?
Internets. Serious business.