OAuthypocrisy and the Passwordpocalypse
The OAuthcalypse is upon us. Since August 31st, all third-party Twitter services must use OAuth to authenticate. This is a good thing; a very good thing. Before that date, services were allowed to use the password anti-pattern to log you in.
Twitter has put its foot down and declared that the password anti-pattern will no longer be tolerated. Hurrah!
What a shame then, that Twitter is being utterly hypocritical. On their Find Friends page, they encourage you to:
Scan your email address book or contacts to discover which of your friends are already using Twitter.
They do this using the password anti-pattern. You are asked for your Gmail password even though the Google Contacts API would allow Twitter to connect to Gmail using proper authentication …exactly what Twitter is insisting third-parties use when they want to access Twitter’s data.
Twitter does connect to LinkedIn correctly. That’s one out of four.
There are two solutions to this state of affairs. Either Twitter decides to do the right thing and switch over to using APIs and authentication for Gmail, Yahoo and AOL …or else Gmail, Yahoo and AOL follow Twitter’s example and disallow the password anti-pattern for scraping address books.
Twitter should not be encouraging Gmail users, Yahoo users and AOL users to divulge their passwords but at the same time, Gmail, Yahoo and AOL should be taking steps to ensure that such profligate behaviour is not rewarded.
Twitter has done the right thing with third-party services wishing to access its data. Now let’s see if the third-party services currently being abused by Twitter will follow this example.
Update: There are some very encouraging responses from Twitter. Ryan Sarver says:
And Josh Elman concurs: