2007-06-13

Stop Giving out Your Passwords

Over the past 2-3 years, as this web 2.0 thing has come to be official jargon, another term that has become popular is "SOA". For those of you who are new to that term, SOA stands for Service Oriented Architecture and is more commonly referred to simply as a "web service". This effectively means that web sites expose functionality via a service using a protocol like REST, XMLRPC or the dreaded SOAP. The typical example is that of a calculator. You have a calculator web service that people hook their applications into that provides all your calculating needs without the developers doing the integration having to know anything about subjects such as addition and subtraction. Some web sites have taken SOA to mean, "Anything you expose via a web page that can be scraped I can use". This means that more and more frequently, users are being asked to provide their username and password for sites such as GMail, Yahoo Mail and MySpace. Once you have given this third-party site your credentials they login and scrape information like contacts and friends. While this isn't a new practice, it only seems to have become widely accepted over the past few years. If you are a user and are asked for your credentials, should you provide them? I would say as a general rule, no. However in the real world it really all depends on a variety of factors such as what kind of data you are exposing, how much you trust the third-party and the level of utility being provided by the service. My assumption is that most users implicitly trust many of these third-parties and simply assume that they would not be asked for this information unless it was needed. The additional use of GMail/MySpace/etc corporate logos makes the request seem even more legit. As a third-party site, what are your ethical and legal responsibilities to your users? I would argue that if a service such as GMail provides an authentication mechanism (they do) which doesn't require you to actually process the login or store any user data you have a responsibility to use it, even if it doesn't mesh with corporate branding. Additionally you should give users the option to store their credentials or not, and assume this automatically. Use of a logo without permission I believe to be another no no as it implies endorsement. As a popular web site, realize that third-parties will want to integrate with you. For the sake of your users, provide at a minimum a token based authentication system that third-parties can use. You could also just get on the wagon and embrace web services like everyone else (I'm looking at you MySpace). In short, stop giving out your passwords and providers STOP ASKING FOR THEM. The security community has enough problems without having companies instill the idea in end user that giving out their password is okay.

No comments: