[tptacek]

You're sidestepping the point of the article. Ivan Kirigin is not going to get screwed over by a website that asks for his Twitter password. But my mom might, because it is extremely likely that one of these fly-by-night Twitter add-on apps will lose their database to some stupid SQLI bug. My mom almost certainly uses the same password for Twitter and Yahoo Mail.

Moreover, each app that asks for passwords for another service adds social proof that this is how we build applications. It isn't.

[ivankirigin]

My comment is directed to this community.

I agree 100% that asking for passwords is a very bad practice, and users shouldn't be trained to do it. They should fix it immediately.

I suppose people could stick to twitter.com and sms - but to me, the defacto twitter world has clients. They are important. I want people to use them. Give your password to sites you trust, Mom.

[dbrown26]

The next blog post will be about how you can do almost everything without "being evil". There are other ways to get the information or behaviors you seek without requiring external logins. Twitter clients are entirely different animals as the credentials are stored individually in many different places (phones and pc's). Hackers look for large, easy targets, like a web site's database or server logs that contain lots of info, they don't do individual hacks by and large because the ROI is just not high enough. Not saying that its not a risk, just that the risk is MUCH smaller.