It’s not just you.
A new site called My Name Is E launched for beta testing today. Eager geeks rushed to sign up for the contact aggregation service. The second step of the process involved handing over your Twitter username and password. This request was dutifully obeyed by the eager geeks.
This is a classic example of the password anti-pattern. And this time it bit the willing victims on the ass. My Name Is E used the credentials to log in to Twitter as that person and post a spammy message from their account.
This is identity theft. It’s not as extreme as having your credit card used or having somebody get in to your email account but it’s still an unrequested violation of personal details. I’m very interested in hearing how the willing victims felt when they saw the message appear on Twitter with their own name and their own avatar next to it. I imagine adjectives like “outraged” and “shocked” would describe the initial reaction but I wonder if “embarrassed” would be far behind.
The “auto-tweeting feature[sic]” was removed within hours in response to the overwhelming negative reaction, as demonstrated on Get Satisfaction. What’s ironic, in the Alanis Morissette definition of the word, is that the Get Satisfaction page features a “share” tab that includes a link to “Twitter this.” Click it. Go on.
Needless to say, I disapprove of what My Name Is E did. But I don’t lay the blame entirely at their feet. Frankly, I’m really disappointed that so many people who really ought to know better were so quick to hand over their Twitter password to any site other than Twitter.
I blame Facebook.
I don’t mean that facetiously. I really do blame Facebook. I also blame Digg. And LinkedIn. And Plaxo. And Twitter.
All of those sites—and many others—actively, sometimes aggressively, use the password anti-pattern. Together they have created a pervasive atmosphere in which it is now completely acceptable for even seasoned geeks to throw their passwords ‘round like car keys at a dodgy ’70s party.
I’ve been banging on about the password anti-password for what feels like ages now. I keep saying that it’s teaching users how to be phished. After a particularly dispiriting discussion of OAuth on the iPhone, Simon went one further and put it in the past tense.
I fear that Simon may be right. But I’m not going to give up hope just yet. Now that Google, Yahoo and Hotmail all have OAuth-style contacts APIs, I think the tide could still be turned.
OAuth came out of my worry that if the Twitter API became popular, we’d be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users’ passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.
So while Twitter positively encourages the password anti-pattern (by example and by design), the situation is very different now for Google, Yahoo and Microsoft. Access to those web-based email services are used as justification for the majority of instances of the password anti-pattern. Now that they all offer alternatives, the only reason for abusers (like Digg and LinkedIn) not to switch from the password anti-pattern to using the official APIs is development time and priority.
Those are valid reasons for not immediately making the switch so I understand that not everybody scrambled to implement, say, the Google Contacts API in the week it came out. But it was released in March. It is now September. Surely that’s long enough for even a low priority task to get implemented?
I realise that I sound very negative in my finger-pointing here so I’d like to give credit where credit is due. Back in March, I listed a chart of web sites who were using the password anti-pattern but who I hoped would switch over. Shame on me for not including Flickr in the list because they were the first to follow Dopplr’s lead and scrap the anti-pattern in favour of a seamless import feature. Shame on me also for putting Last.fm at the bottom of the list. As part of their recent redesign, they too scrapped the anti-pattern. Good for them!
At the top of my list of sites I expected to ditch the anti-pattern was Pownce. Alas, they’re still not all the way there (Yahoo import is working correctly, GMail and AOL isn’t). But after some petulant grandstanding on my part, I have been assured that they are working on it.
I know I should care more about the big abusers like LinkedIn and Facebook than the little guys like Slideshare and Pownce. But it’s precisely because I love Pownce so, so much that it upsets me to see them get such an important thing so wrong when they get everything else so, so right.
Y’see, I’ve been thinking of putting my money where my mouth is. I should really plant a flag in the sand and set a date in the not-too-distant future (like maybe early next year) beyond which I will simply refuse to use any site that implements the password anti-pattern …and delete any existing accounts.
Now, I wouldn’t mind doing this for LinkedIn, Digg or Facebook (I’ve already done it for Plaxo). I wouldn’t miss those sites. I don’t have any strong attachment to those sites. But I have a very strong attachment to Pownce and I would miss it very, very much if I were to delete my account there.
I’d also have to delete my Twitter account, which would probably feel like losing a limb. It’s not that I feel a strong emotional attachment to Twitter—using Twitter often feels like being in an abusive relationship with a Fail Whale—but it’s so pervasive that it would be like swearing off using email, or chat, or the telephone.
Besides, what difference would this grandstanding of mine do? I’m just one measly account. But if other people were to join me …well, perhaps that might affect the speed and priority of abandoning the password anti-pattern.
I could set up a Wiki, or something similar; somewhere where others could add their voice to the call to remove the password anti-pattern. It needn’t be wholly negative either: it could double up as a place for listing useful resources for developers who want to implement OAuth-style APIs.
So I have a few questions for you:
- Is this a good idea or am I tripping?
- Would you abandon sites that refuse to ditch the password anti-pattern?
- Do you know of any good, easy to implement Wiki software?
- Yes, just not twitter
Wow. I am now subscribing to your feed. Excellent article.
- I think it is a great idea
- Most definitely. I wouldn’t support sites that openly engage in poor practices that could potentially harm or compromise the identity of others.
I think it’s a great idea! The only way to bring it to their attention is if they had people leaving.
If you could collect names on the wiki, against the sites it could make a better case.
Some I would find hard to leave but others, I probably would be doing myself a favour :-)
I haven’t implemented any wiki’s but I’ve heard PBWiki is supposed to be good.
Couldn’t agree more Jeremy. I only caught the kerfuffle on Twitter but the thought instantly flashed through my head: "Haven’t we learned by now?".
My scheming alter-ego thanks these spammy companies for teaching people the importance of not giving up their damn passwords; better they learn from an embarrassing tweet than from something critical. Yes, of course the sites should lead the way and not offer the noose to users’ heads, but I fear that’s a near-Sisyphean challenge given the number that sprout up every day. I think we need to keep plugging away at the users too. ‘Muppets’ isn’t as strong as the term I’d use.
Although I like your plan, my only is that if a noble few try to hold the apps hostage by threatening to leave, they’d likely not care. They’d merely lose a thin slice of early ubergeek adopters and go about their merry way grabbing the mainstream by what the CMO stupidly considers a ‘viral’ method. There’s a new password-volunteering sucker born every minute.
Awesome article and I couldn’t agree more. To answer your questions.
- No, you’re definitely not tripping.
- I’m not sure if I could ‘afford’ to. Suspend my accounts might be a better, but probably less effective option.
- :D I’d say go for it.
After reading the password anti-pattern post you made almost a year ago, I am wondering if you consider the following a password anti-pattern as well.
Lots of user driven sites are able to either send you your password. They do this either after you’ve signed up with them or after you click some sort of "I forgot my password" link. Besides the fact that they send you your password in plain text which is bad in itself, what bugs me the most about this is that they ARE ABLE TO.
What this means is that they actually store you password either in plaintext or are able to deduce your password by using some sort of two-way method to retreive it. Wouldn’t the correct (and only?) way of doing this by storing a (salted) hash of the password?
Jeremy - any thoughts on how mobile sites or apps might avoid this pattern too?
I’m glad to see you continue to beat the drum on this important topic.
It’s indeed hard to see why these companies (especially the larger ones, with hundreds of engineers at their disposal) haven’t corrected this anti-pattern.
I’d happily lose my Facebook account (for which I already endure a love-hate relationship with), yet of course there is no such thing as Facebook account deletion. Frankly I that issue could be in a similar regard to that of the anti-pattern (if I no longer want a relationship with a company, I should be able to remove my data from their servers).
I guess I would be willing to join in on such a stance, but I would want to know that I was being joined by others for it to have any effect.
As to wiki software, I’m not sure if you are looking for a product which you can host on your own servers, but I do like pbwiki (http://pbwiki.com) very much.
Short and to the point: 1) No, it’s a good idea. They know, and they should care. 2) Yes. I’m just a small voice in the crowd, but six degrees of separation and all that… 3) pbwiki? I’ve installed and set up MediaWiki in under 30 mins as well, but I can’t comment on it’s suitability for task.
We’re (still) working on it at LinkedIn, Jeremy. Like Pownce, we’ve got Yahoo!’s API implemented, and I understand that GMail and Windows Live Mail are next.
Keep fighting the good fight.
I’ve been following your "banging on about the password anti-password" for what feels like ages now. Yet every time I read about it again I feel more annoyed that things aren’t changing.
Surprisingly, of all the corners of the web I frequent, your corner is the only place I recall reading about it. I don’t ever sign up for new services now which use the password antipattern, but like you I’m an existing user of a few which I would find very hard to leave.
To answer your questions:
It’s a good idea, but (and I don’t think you need me to tell you this) getting support will be hard.
I don’t know. There are probably a couple I’d be lothe to ditch entirely. Stop using, I’d probably manage, but I’m a data/archive nut, so delete might be a stretch.
Not really, though I’ve used both Mediawiki and Dokuwiki both relatively easily implemented and of reasonably quality. I’d go with Media wiki simply because of the large number of people familiar with it’s syntax.
I think that’s a good idea Jeremy. I was just looking at PayPal, who obviously have to take the risk of phishing seriously, and using their payment pro, they allow you to take a customers card details on your site, but not their PayPal username and password.
I think the only way to get it right it to create a non malicious widget, that takes a users twitter details, then tweets to say they have been hacked and the password anti-pattern is bad mmkay.
- Yes, maybe
I wouldn’t abandon sites that refuse to ditch the password anti-pattern and thus am not sure it’s a good idea. Many of them are good sites and I sympathize with how hard it is for developers to find the time to fix something that’s not broken (just kitten killing).
If you can’t find enough people to amputate limbs along with you it won’t work. Hopefully you’ll be able to judge by the comments how much support the idea has and make your decision from there.
Great post. You are not tripping, and I would definitely abandon sites who keep asking me for credentials for other services in order to become useful.
(You could always use pbwiki, if you don’t want the trouble of setting something like Mediawiki or Docuwiki yourself)