Some of you talk about an "app" as if it were a person. Sure, apps could be malicious, but that includes every app on your computer - doesn't it? Why should you assume some of the apps handling your credentials can be more trustworthy than others? Any app that is on your computer while you type your username/password can potentially obtain that information. And what about the app at the far end of the Internet that may be "pretending" to be Twitter's authorization page? Frankly, I think the whole argument about "malicious apps" is a little over the top for an OAuth discussion.
Why would you believe that "basic auth developers are required to store passwords in plain-text..."? I'm a basic auth developer, and I have always stored username/passwords encrypted in a access protected keychain file. I do not know of a single developer of any platform that would be so irresponsible as to store username/passwords in plain text - well until now. :) Twitter's only interest in OAuth (like any other platform provider) is to control access to their platform at an application level, and to allow other platform providers access to their users' data. This altruistic nonsense about Twitter being more interested in your personal password protection than your bank, your online stock trading company, or the IRS, is just that - nonsense. There's nothing wrong with Twitter's decision to implement OAuth. I makes perfect sense. I'd do it, if I were in their shoes. Why are so many of you rushing to their defense with these manufactured alternative reasons for why they are implementing it? On Apr 27, 5:52 am, glenn gillen <gl...@rubypond.com> wrote: > > Anytime you enter your credentials, regardless of where, you open > > yourself to being snooped. I believe that is far less likely when > > communicating with YOUR app on YOUR computer, than it is via a browser > > over the open Internet to a 3rd party that may or may not be who you > > think it is... > > Supporting this option though Twitter is dependent on the security > procedures of every 3rd party to maintain the integrity of an account. > WithOAuthat least should an individual 3rd party have their security > breached then access to just that 3rd party can be terminated. > > Also with basic auth developers are required to store passwords in > plain-text (or at least in some retrievable form) and as someone else > has already pointed out with the propensity for users to use the same > password on many services this exposes them to undue risk from a > breach of a 3rd party or via a malicious developer. > > I'd sleep much easier at night if I didn't know anybody else's > password, I'm sure the Twitter team would prefer if only a user knew > their own password too. > -- > Glennhttp://glenngillen.com/ > > -- > Subscription > settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en