Never Share Your Twitter Password Again
A few hours ago Twitter’s OAuth private beta was launched and Inuda was one of the lucky 150 users to be chosen to test it. OAuth is an open protocol that allows secure API authorisation in a simple and standard method from desktop and web applications. What it does is allow you to connect your Twitter account to a third party service without you having to share your password with them. This means if you ever suspect an application to be doing something it shouldn’t with your Twitter account you can simply turn off their connection without having to change your password.
We managed to get a prototype up and running within a few minutes with no problems so we think it’s fair to say that you should never give your Twitter password to anyone ever again. In a few weeks all developers of Twitter applications will have access to OAuth and they’ll have no excuse other than laziness for not using it. Instead, when an application requests for access to your Twitter account you should be redirected to a page at http://twitter.com which will look something like the image shown above.
February 12th, 2009 at 3:26
What can one say but “about bloody time”?
February 12th, 2009 at 3:43
It doesn’t look like there’s a mode where the the app would not get any access to private data.Why would users trust an app that has access to their direct messages?
This comment was originally posted on Hacker News
February 12th, 2009 at 3:52
Well Twitter only has 2 modes, public and protected.An app can access anything public through the existing API anyway without authentication.
The only difference here is that you can allow apps your trust to access your private data (or functions, like sending tweets) without giving out your password. As such it’s a big step in the right direction.
Twitter apps have been one of the worst offenders for the username/password anti-pattern because of Twitter’s use of HTTP-Auth for the API.
This comment was originally posted on Hacker News
February 12th, 2009 at 3:57
There are benefits to having the mode I describe:* your app can perform more API calls without IP-based rate limiting (which can be a real problem when using the Google App Engine due to shared IPs between apps)
* you can be sure that the user is who he/she claims to be (without a DM hack), which is important for some apps
This comment was originally posted on Hacker News
February 12th, 2009 at 4:30
Seriously this is awesome! I might have to draw a Beedoodle about this!
February 12th, 2009 at 5:06
The real story here is that OAuth has much wider and far reaching implications than just Twitter apps. I think we’ve reached the high-water mark of the number of logons and passwords we’ll need to keep track of. I see a future not that far off where everything from Credit and ATM transactions to your Facebook and HN logins are all handled by OAuth.
This comment was originally posted on Hacker News
February 12th, 2009 at 5:59
Brilliant.
February 12th, 2009 at 6:52
Not sure why parent was upmoded. Is there a reason why one would not want this mode added?
This comment was originally posted on Hacker News
February 12th, 2009 at 6:56
An offtopic comment on the RWW Ad on right.
In the ad "Discover the Semantic Web – A Dow Jones Webinar" – Is that woman drawing OWL/RDF diagram?? u must be joking.. how can such a hottie do RDF? its 1:55AM EST.. may be i m hallucinating..
( owl:unionOf ROTFL, WTF )
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 12th, 2009 at 7:08
This is killer. We think there are huge opportunites & implications for brands and apps dev using OAuth for Twitter. Here are some:
1) Multiple account management tools. Add all your accounts via oauth and use a single account to manage multiple accounts in one place. Who needs multiple accounts? All brands because they have different consumers. For instance, Dell has 18+ twitter accounts, some in 5 languages. A CPG brand may have their wild loyalists and some into them for a specific product feature or attribute.
2) Twitter CRM. If a brand can offer an OAuth access, it will allow someone to follow specific tags or keywords from their streams without having to follow. It will also allow d-m without following to have a back-channel conversation.
3) Instant DM/Search Alerts. If you allow an app access, it can DM you when Tix are on sale, stocks move, your boss is mentioned, etc.
BTW, if you dev any of these tools, message me and we’ll beta/apply. Cheers! Mark Silva, Real Branding
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 12th, 2009 at 7:54
At the adoption rate it’s going, I can see Facebook Connect replacing a high amount of "secure" websites like bank accounts within the next few years; and that’s unfortunate.
This comment was originally posted on Hacker News
February 12th, 2009 at 7:55
phew, finally!
February 12th, 2009 at 7:59
[...] Sachen mehr Datensicherheit bei Twitter bewegt sich langsam was, denn wie drüben bei Inuda und auf ReadWriteWeb.com zu lesen ist, geht die geplante OAuth API Authorisierung für Twitter [...]
February 12th, 2009 at 8:21
Cool feature to have.
February 12th, 2009 at 8:29
[...] IT, Net, OAuth, Security, Twitter, Web Twitter launches OAuth in a private beta among 150 users; http://tr.im/fwae – http://tr.im/fwaf [...]
February 12th, 2009 at 8:30
RWW: “Twitter OAuth – oft promised but lagging in delivery – had begun to take on a mythical status, leaving many to wonder if it would ever be released. Now, that naysaying could be coming to swift end. It appears that Twitter OAuth has been released into the wild as part of a limited beta. – Why is this important? It means that Twitter applications now have a way to verify user identity without asking for a username and password. Those credentials remain the private property of the user – but he or she still gets access to the tool and his or her Twitter account.”
This comment was originally posted on http://wir-sprechen-online.com/)">Wir sprechen Online
February 12th, 2009 at 8:33
This is absolutely brilliant, shall ensure we get it properly integrated into out upcoming Twitter app.
February 12th, 2009 at 8:52
This is great news as as someone already pointed out, about time.
Good to see Inuda in there with testing this stuff out.
Mike
February 12th, 2009 at 9:17
Very important and not a moment to soon. The current state of affairs was endangering Twitter app growth, b/c some recent apps had clearly been designed to harvest logins, thereby putting everyone under suspicion.
Follow me on Twitter, I follow back:
Twitter.com/AlexSchleber
February 12th, 2009 at 9:53
Twitter hat jetzt OAth integriert…
Endlich hat Twitter für die ersten Betanutzer OAth integriert. D.h., man muss seine Passwörter nicht mehr bei den einzelnen Mashups eingeben….
February 12th, 2009 at 10:03
I can’t see banks handing over authentication to anyone.
This comment was originally posted on Hacker News
February 12th, 2009 at 10:35
An extra point. Apps can choose to be read only our read/write when they are set up. Will be interesting to see how many opt to be read only.
This comment was originally posted on Hacker News
February 12th, 2009 at 12:05
Rick – Thank you for the link to my blog post! Great to see so much interest in it.
Mark – Looks like your as excited as we are about this!
Our company, Inuda, is now focusing on Twitter application development. We’re also currently running a private beta of a tool that does much of what you are looking for in a Twitter app. It’s called SocialPlume (featured in the screenshot above). We have a holding page up at http://socialplume.com Please get in touch if you’d like to be one of the first users.
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 12th, 2009 at 12:30
I am really glad to see this auth coming as there are some unscrupulous developers that exploit user password for a variety of uses. This was much needed and was only a matter of time before it became critical.
Users need this to feel comfortable using apps built off of the api. This will bode will for the long term vision of twitter as a platform. ’bout time
Large brands and companies that want to build apps off of the api have expressed concerns regarding privacy from a legal standpoint and this will alleviate those concerns.
http://twitterbusinessbook.com
Cheers!
February 12th, 2009 at 14:04
[...] if it would ever be released. Now, that naysaying could be coming to swift end. It appears that Twitter OAuth has been released into the wild as part of a limited [...]
February 12th, 2009 at 15:47
Unless Twitter change their rate limiting model it makes sense to be be read-only still. This allows you to tap into the 100reqs/hr Twitter allocates to users rather than using up the IP rate limiting for generic requests.
This comment was originally posted on Hacker News
February 12th, 2009 at 15:51
OpenID actually has support for extensions that can allow you to require additional requirements of the AP (authorizing party). This means a bank could, for example, ask for multi-factor authentication from the AP.I doubt banks will accept generic identity providers in the near future, but I can see them allowing known players in the consumer internet space to provide multi-factor identification.
At the least they could let you identify yourself with another provider and then add additional factors on their side.
This comment was originally posted on Hacker News
February 12th, 2009 at 17:14
Awesome – can’t wait for access so we can get TimePoke using Twitter/OAuth!
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 12th, 2009 at 17:19
[...] if it would ever be released. Now, that naysaying could be coming to swift end. It appears that Twitter OAuth has been released into the wild as part of a limited [...]
February 12th, 2009 at 17:36
Follow-up thought: oAuth is going to become the default and users will avoid sites asking them for their login/pw. I’m already starting to postpone using services until they implement it.
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 12th, 2009 at 20:07
[...] all the heavy weights are going moving towards adoption of OpenID and OAuth. Twitter today started beta testing OAuth why should you care? Well for one pretty much all Twitter users use some sort of client to [...]
February 12th, 2009 at 20:17
[...] This is the benefits of oAuth [...]
February 13th, 2009 at 4:28
[...] Never Share Your Twitter Password Again, Inuda.com [...]
February 13th, 2009 at 13:34
Looks cool. Hopefully they’ll widen the beta soon.
February 13th, 2009 at 18:20
It’s called SocialPlume (featured in the screenshot above). We have a holding page up at muhabbet mIRC Please get in touch if you’d like to be one of the first users.
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 14th, 2009 at 16:34
Robust and reliable implementation of OAuth at Twitter will lead to:
- more visible usage by prominent users: with OAuth they will trust to use Twitter in combination with the many third party add-on applications that are out there;
- faster and broader acceptance in the corporate world, by enabling in a more trusted way integration with corporate systems (CRM systems is just one example; another might be HRM systems).
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 14th, 2009 at 17:40
i didint interest about it Dekorasyon Granit Granit
This comment was originally posted on http://searchengineland.com/)">Search Engine Land: Must Read News About Search Marketing & Search
February 16th, 2009 at 12:56
[...] ä¸è¿æä¸ç´å¯¹äºTwitterç第ä¸æ¹åºç¨æ²¡æ类似äºFriendfeedä¸æ ·çéªè¯æ¹å¼ï¼æ¯æ¬¡é½è¦è¾å¥twitterç¨æ·ååå¯ç ï¼å¯¼è´æçææºæ¯æ¬¡ç»å¥Twitteré½è¦éè¾ç¨æ·ååå¯ç ï¼ä¸è¿è¿ç§å±é¢ä»¥åå°ä¸å»ä¸å¤è¿äºã [...]
February 16th, 2009 at 17:54
About damn time!
February 19th, 2009 at 13:34
OAuth på vej til Twitter http://tinyurl.com/dgskbs
This comment was originally posted on Twitter
February 19th, 2009 at 15:33
After Twitter+OAuth http://bit.ly/srrCR, GAE+OAuth http://bit.ly/3J2zA, now Dojo+OAuth http://bit.ly/Tw1Mg: need 48 hrs/day to exploit them!
This comment was originally posted on Twitter
February 20th, 2009 at 23:07
Here! Here!
This comment was originally posted on http://blog.rickrey.com/)">OMGRICK
February 20th, 2009 at 23:07
Yeah Mike, me too. I could probably hack something together, but it would take waaay too long and it wouldn’t be remotely elegant. BUT I could design a front-end if someone had the chops to build the app.
Also yes, SCHED is pretty sweet. Looking forward to the SXSW ‘09 update coming soon.
This comment was originally posted on http://blog.rickrey.com/)">OMGRICK
February 20th, 2009 at 23:07
I’ve never heard of SCHED before – awesome site
and yes, this would be a kick ass tool… for any event. I wish I knew how to do this stuff…
This comment was originally posted on http://blog.rickrey.com/)">OMGRICK
February 21st, 2009 at 19:40
Like idea of http://tweetake.com/ for Twitter backup, but again password reqd. Wish OAuth was here: http://tinyurl.com/dgskbs
This comment was originally posted on Twitter
February 22nd, 2009 at 21:55
@mcleod Only because I’d heard of this: . So I’m waiting for this: http://bit.ly/srrCR
This comment was originally posted on Twitter
February 22nd, 2009 at 21:57
@mcleod Only because I’d heard of this: http://bit.ly/13o1PZ. So I’m waiting for this: http://bit.ly/srrCR
This comment was originally posted on Twitter
February 25th, 2009 at 12:26
I’ve created a Twitter oAuth app which is available for everyone. Check it out at my labs: http://bit.ly/twitter_oauth
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
February 28th, 2009 at 10:31
FINALLY!
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
March 6th, 2009 at 9:04
[...] in this podcast. Specifically I was thinking about OAuth. Further information can be found here and [...]
March 6th, 2009 at 22:19
Our company, Inuda, is now focusing on Twitter application development.
This comment was originally posted on http://www.readwriteweb.com/)">ReadWriteWeb
January 14th, 2010 at 10:44
I’ve read somewhere that the biggest threat is a poor use of password rather than the malicious shareware or suff. But this OAuth looks very useful.