Loading Profile...
Asking for my passwords makes you sound like a phisher
Just got my SocialThing invite. Thank you. Signed in. First thing it wants are my Twitter and Facebook passwords.
Dudes, I don't know you this well. Err, actually -- I don't know anyone this well.
Yes, I know you want my Twitter password "to use the API." In other words, to fetch my followers? To tweet on my behalf? Will you store this? Will you tweet an ad for your service? What's all this? Not only do you ask for my password, you won't tell me how you'll use it?
And how the hell did you manage to make Facebook ask for my Facebook password when I'm logged in? Just grab an infinite session key. It requires me to check a box and hit OK. This thing made me suspicious and queasy.
And you know what? FriendFeed and MyBlogLog didn't ask me for any passwords. And they had lots more services for me to fill in than Twitter and Facebook.
So anyway. I left it at that for now. Perhaps I'll check back some time later to see if you still want my passwords.
Dudes, I don't know you this well. Err, actually -- I don't know anyone this well.
Yes, I know you want my Twitter password "to use the API." In other words, to fetch my followers? To tweet on my behalf? Will you store this? Will you tweet an ad for your service? What's all this? Not only do you ask for my password, you won't tell me how you'll use it?
And how the hell did you manage to make Facebook ask for my Facebook password when I'm logged in? Just grab an infinite session key. It requires me to check a box and hit OK. This thing made me suspicious and queasy.
And you know what? FriendFeed and MyBlogLog didn't ask me for any passwords. And they had lots more services for me to fill in than Twitter and Facebook.
So anyway. I left it at that for now. Perhaps I'll check back some time later to see if you still want my passwords.
I’m suspicious
Follow this discussion to get notifications on your dashboard.
-
Inappropriate?Right, so just to explain a few things:
Yes, we need it for the API...mainly so that you're able to post statuses back to those services.
However, our next version will allow you to only give us your Twitter username.
As for Facebook, it asks you for your password because we're using the RESTful API and we're not a Facebook app that sits inside of Facebook. Anytime the actual API is used (not being an internal Facebook app), it asks you to confirm your password. There's really no way around this, unless we built a Facebook app that you added instead, in which case, we'll be exploring this in the near future.
FriendFeed and MyBlogLog don't ask you for passwords because they're not authenticating in the same way. FriendFeed and MyBlogLog also don't aggregate your friends statuses, photos, anything like that from Facebook into their services.
We're wanting to work with more services to support OAuth so that we don't have to ask for passwords, but for now this is our only choice.
As for the security of your password, in the cases where we (reluctantly) have to ask the user for it, it is stored via a proprietary encryption algorithm which has been highly obfuscated.
One thing that we're trying to figure out if we can add, is letting the URL bar persist on the popup that we send you to, so that you can see that we're not phishing you. We don't store the password that's given to Flickr or Facebook, just the token that they pass us FYI -
Inappropriate?And as an aside, FriendFeed asks you for your password if you want to send a message back to Twitter
-
Inappropriate?Matt,
Thank you very much for the prompt response!
Yes, being able to start with giving just my Twitter username would be great. If I find I spend time on SocialThing as a destination and want to tweet from there, I'll have time to learn to trust it.
And yeah, a Facebook app is the way to go. I'd be fine adding a web-based app (as Facebook calls it), but it might be more convenient on your end to make it a "desktop" app possibly, and use the equivalent of require_login() instead of require_add(). But these are small technical details. Any of these will not ask for my password.
But at the very least, and this is a simple and immediate change, you might tell me what the password is for. I land there, and boom, give us your passwords. That's just taking it too fast.
Thanks, -- Stas
P.S. "Highly obfuscated proprietary encryption"? Wow. That's very impressive. Having designed one of the five IETF-standard ways to do wire encryption, I can understand how much of an accomplishment this must have been, and how much this adds to the security of my password.
But I'm not here to quibble. At least tell me what you will do with my Twitter password and relabel the "Login" button "Store my Twitter password on SocialThing" so I know what is going on. -
Inappropriate?Thanks for posting this question. I just got my invite today, signed in to SocialThing! and immediately wondered what was happening to my passwords.
I do agree with the suggestion, "At least tell me what you will do with my Twitter password...so I know what is going on"
I’m weirded out
EMPLOYEE