Loading Profile...
Recent activity
Subscribe to this feed
Jeff Smith replied on February 07, 2009 23:15 to the question "Password Sharing Discomfort" in Ping.fm:
@devnet I am not sure that you are really understanding what is being said here. No one is saying that they have a problem with ping.fm "authenticating" to a third party site (such a Friendfeed), but there is a problem when I have to enter my username/password on ping.fm's site to access the third party site. On the other hand, using something like OAuth or an API key, I can still authorize ping.fm to perform certain activities on my behalf without giving my username/password directly to ping.fm. What's the difference?
- I can revoke the granted access very easily without having to change my password
- this does not give the same level of access as a username/password (for example, using the friendfeed API key won't allow my profile to be deleted, etc).
- it doesn't break the Terms of Service for most sites, which explicitly forbid you from giving out your username/password to external parties.
If my explanation isn't clear, just do a google search for social network password antipattern and you will find many more articles discussing the issue in detail.-
A comment on the question "Password Sharing Discomfort" in Ping.fm:
why don't you just give me your passwords then? I'm on the web so you can trust me. – Jeff Smith, on February 07, 2009 01:58 -
Jeff Smith started following the question "Password Sharing Discomfort" in Ping.fm.
-
Jeff Smith replied on July 05, 2008 22:40 to the discussion "Asking for users' 3rd party service passwords" in Ping.fm:
Thanks for the quick feedback Sean. As I mentioned in my original post, I completely understand that something like OAuth support is not a problem that Ping.fm can solve on it's own. Even if the solution is not OAuth, I know that sites like FriendFeed provide an API key that can be used instead of a user's password. At least this allows the user more control of external access to their account.
To be honest though, my concern is not just with Ping.fm's internal security, but it is also with the idea that it is OK to ask user's for their passwords. Jeff Atwood described the concerns much better than I can in a recent article (http://www.codinghorror.com/blog/arch...) - including issues like phishing and terms of service agreements.
Thanks for listening and I look forward to the day when I can use your services without providing any 3rd party passwords :) -
Jeff Smith started a conversation in Ping.fm on July 05, 2008 22:10:
Asking for users' 3rd party service passwordsI was quite excited to sign up for Ping.fm when I first heard about it - it is definitely addressing a problem that needs a solution. But I was very disappointed when I went to setup my external services and ping.fm asked for my password to those services (twitter, friendfeed, etc.). This is such a bad idea that it has already been labeled a social-networking anti-pattern (http://microformats.org/wiki/social-n...).
I totally understand that this is not completely Ping.fm's fault - but I am afraid that I won't be setting up any of my external accounts using this approach.
Is there any work being done at Ping.fm for supporting OAuth?
Jeff
