Hacker News new | ask | show | jobs
by bct 5311 days ago
> A well-behaved app can have your password and do no harm.

Until someone steals its database.

You hash your user's passwords, right? Same thing - whether you're talking about your app's passwords, or some 3rd party app's passwords, keeping them around in plain text is a bad idea.
2 comments
chrisrhoden 5311 days ago
And hashing them is not useful if you intend to authenticate with them. I think you mean encrypt. Hacker finds encryption key. See "Until someone steals its database."
link
bct 5311 days ago
No, that's not what I meant. It's an analogy - if sites shouldn't store their own passwords in plaintext or reversibly encrypted (which everyone here agrees on - "use BCrypt", etc), then they shouldn't store other passwords in plaintext or reversibly encrypted. They should use something like OAuth instead.
link
chrisrhoden 5311 days ago
My bad, we agree on this. But there are a whole bunch of other great things that OAuth brings.
link
bct 5311 days ago
I must not have been very clear, because I'm being pro-OAuth here :)
link