[flurp]

Maybe allowing users to have multiple API tokens, that way you have one for IFTTT and another for each service you set up. Gmail does something similar to this btw.

Although I agree with you, there's a good chance that people who reuse passwords do so because they don't want to remember usernames/passwords everywhere and by forcing the user to go get their API-token it's just making things harder for them again. But, maybe this just isn't a problem for Pinboard users.

Too bad about OAuth, it does solve both problems above. :)

[tptacek]

Plus the added win of keeping everyone on their toes about open redirects!

[patio11]

If I can translate Thomas for the benefit of non-security professionals in the room, several researchers (most prominently, Egor Homakov) have repeatedly demonstrated the combination of a) using OAuth in certain configurations and b) having an open redirect on the OAuth consumer site allows an interested attacker to achieve privileges from the OAuth provider site to the limit of a trusted consumer site.

What does that mean? Alice uses Bob's site, which she trusts, and authorizes it to operate her Twitter account for some limited purpose. Bob's site includes an open redirect. Mallory carefully crafts a URL that theoretically exists on Bob's domain but redirects to a server Mallory controls (which displays a cute cat photo and exfiltrates the OAuth token) and then posts it, as one does with cat photos, somewhere where Alice can see it. If Alice sees that cat photo, Mallory can now manipulate Alice's Twitter account to the maximum extent permitted Bob.