/Security/ The great password scandal

You wouldn’t let your bank give your PIN to a stranger, but some sites are taking a similarly cavalier attitude to security, warns Paul Annett of Clearleft

Before reading this feature, please pause and take a few minutes to send me your email address and password. I’m doing some research to see how many of my readers are friends-of-friends. I’ll only log in to your account to look at the address book. Honest.

No? You’d be surprised how many people happily do this via websites each and every day.

Last September, a service called My Name is E launched, promising to solve the ‘social network portability’ problem – taking the hassle out of adding friends on social networks by aggregating your friend lists on to one site. You could add a friend on My Name is E, which would then update your contacts across the other sites. Nifty, eh?

People were quick to sign up, eagerly handing over multiple usernames and passwords so My Name is E could do its stuff. Judging by the number of recommendations it was receiving on Twitter, it was clearly an outstanding service. But there was something odd about these messages. Every recommendation was phrased the same: “I’m now using My Name is E to add friends to my Twitter account! More info on http://hellomynameise.com”.

It soon became apparent that My Name is E was logging in to Twitter as each of its users and sending these recommendations as them, but without their permission or knowledge. “The autotweet was a kind of viral marketing, implemented by one of our developers for teasing our followers on Twitter,” says Andreas Creten, My Name is E’s lead developer. “Unfortunately, we forgot to disable the feature before we launched.”

The backlash was immediate, with angry complaints on Twitter and customer support forums. “We disabled it as soon as users started complaining,” says Creten. “We were surprised at the response – it was a good lesson. Since we had people’s passwords we could take full control of their accounts, but people don’t like it when someone else uses their account to do something.”

Many of them not only felt angry at My Name is E, but also embarrassed that they were so publicly outed as being careless with their passwords. A typical message on Get Satisfaction came from Paul Downey, chief web services architect at BT: “Thanks for making me look and feel stupid – it’s me that gets to Twitter, not your password phishing bots!” Says Twitter’s API lead, Alex Payne: “We’ve always advised users to only give their passwords to websites they feel they can trust. Any website runs the risk of compromise, so giving out your credentials is always a gamble. There’s little risk in using a desktop Twitter client, but we’ve cautioned users against handing out their passwords to web-based services that are higher-value targets to attackers.”

You may be thinking that this is no big deal. After all, it’s only a Twitter password, not your bank details. But this thinking is flawed. “[Hypothetically] we could easily have logged into people’s mail accounts, intranets …” says Creten, referring to the fact that many people use the same login details across multiple different sites. Of course, in many cases if a hacker has access to your email account then they have access to all your accounts, because this is where your registration details for different services will have been sent.

Yet the “give us your email username/password to add your existing friends on this site” routine is becoming more and more common. Twitter does it. So does Get Satisfaction, Linked In, Yelp, Plaxo, Ning, FriendFeed, Orkut, iLike. Hell, giants like MySpace and Facebook do it. They can’t all be wrong, surely? Jeremy Keith, technical director of user experience consultancy Clearleft, is unequivocal: “The message is being sent out that it’s okay to hand out passwords from one site on a completely different site. If – or should I say when – this practice becomes commonplace then phishing and identity theft become so much easier: it teaches people how to be phished.”

“That should be rephrased ‘has taught users how to be phished’,” argues Simon Willison, technical architect at Guardian News and Media. “The Facebook thing isn’t a smart way of connecting members, it’s a horrible precedent.” Indeed, it’s such a common design pattern that it’s often the only way developers consider for retrieving a list of contacts from your address book. But there are alternatives, the most lauded being OAuth. Alex Payne explains how it works for users authorising a third-party app with Twitter:

  1. You download a new Twitter client.
  2. You fire it up; it redirects you to twitter.com
  3. If you haven’t already, sign in to Twitter.
  4. If you trust the application, allow it to connect to your Twitter account.
  5. Bounce back to your Twitter client, which is now ready to use.

Payne says: “The Twitter API started out with an authentication model that used a web standard, HTTP Basic Authentication and allowed developers to get started without much fuss. But now that the community has spoken out in favour of a token authentication system, we’ve provided one.”

“Our beta testers reported it took minutes to get set up with OAuth. So unless you’re developing on a platform that lacks high-quality OAuth client libraries, it should be very easy [for existing third-party apps] to make the transition.” Despite the fact that Twitter is embracing OAuth for third-party sites to access their data, it still asks for email usernames and passwords to get into users’ webmail contact lists. Although Google, Yahoo and Microsoft all offer viable alternatives, there’s no word from Twitter that it’ll be changing its own bad practice on this front any time soon.

“[The need for] access to Google, Yahoo and Microsoft’s web-based email services is used as justification for the majority of instances of this password anti-pattern,” states Keith. “Now that they all offer alternatives, the only reason for abusers not to switch to using the official APIs is development time and priority.” OAuth is a step towards web users relearning the necessity of personal prudence and password hygiene.

Our friends at My Name is E are upgrading each of their services to use OAuth, where it’s available. “If the social network that we’re integrating with supports OAuth, we now use OAuth for sure,” Creten reassures us. “At the moment we have Twitter, YouTube, PICNIC, Soocial and Brightkite – they will all be transformed to OAuth services.”

Developers would be wise to seek out OAuth and similar solutions for their projects; for too long we’ve been taking the perceived easy route of using the “password anti-pattern”. Users have become completely vulnerable to phishing attacks, which deliberately exploit the very same design pattern. They don’t know any better: we’ve taught them not to question it, so we owe it to them to make amends.

How to remember passwords
Here’s an easy way to keep dozens of secure passwords safe in your head …

The most secure place to store passwords is inside your head. Unfortunately, it’s a pain to remember multiple passwords, so many people end up using the same username and password combination across a range of different websites.

A good password should be easy to remember but hard to guess. So how do you come up with a secure username and password combination that’s different for each site that you use?

The trick is to choose a single word or memorable key sequence, then apply a simple formula to it relative to the site you’re logging in to. It’s best to include a number for added security, and because some sites require a combination of both letters and numbers in a password. Here’s an example.

I’ll choose the word ‘artich0ke’ as my base password (I’ve replaced the ‘o’ with a zero), then modify it for each website I use it on by adding the first three letters of the service name. My Google account password would be ‘artich0kegoo’ and my Twitter password would be ‘artich0ketwi’, etc.

Try not to include any special characters in your password. You want your formula to fit all sites; needing to remember a different formula for each site defeats the point.

source: http://www.netmag.co.uk/


0 Responses to “/Security/ The great password scandal”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s



%d bloggers like this: