It's probably more likely that you would give your password to a malicious site (of course, one masquerading as a legitimate client) that would store it and use it than someone stealing your device. Moreover, many less-than-savvy users tend to use the same password for many accounts, including accounts containing very sensitive information.
On Mon, Oct 12, 2009 at 20:36, Brian Smith <[email protected]> wrote: > Letting a mobile/desktop app grab an OAuth token using the user’s > username/password is still helpful because then they can store the token > instead of the username/password, which is a big deal when there’s no really > secure way to store it. Also, if your mobile phone/laptop gets stolen, you > can still log in via the Twitter website and revoke access from the apps > installed on your phone/laptop. If the app just used basic auth then the > only way to revoke access would be to change your password. But, whoever > stole your phone/laptop could have changed your password first (if the app > was using Basic auth), and you’re locked out of your account. > > > > So, a way to log in with basic auth and grab a OAuth token would can still > be useful. > > > > JDG wrote: > > But it completely subverts the point of OAuth, because it lets a third > party have your password. Why even use OAuth in that case? > -- Internets. Serious business.
