Feb 052013

The latest Twitter password hack did affect me, but fortunately I had already switched to the one password per site philosophy. I store all my passwords in LinkeSoft’s Secret!, along with other information that I want to keep on my computer and on my phone in an encrypted form. I just wish the Mac version synced with Android.

One bright spot in the issue was the fact that I didn’t have to change anything in all my apps that use my twitter account, since they all have their own tokens, independent of my twitter password. OAuth is usually said to be good since you can revoke access for any application at any time; this was the first time it became obvious to me that the other advantage is that you can change your main password at any time without needing to update any other client. Can other applications that have web access and smartphone app access please take note?

OAuth is not necessarily the easiest of protocols to understand, or implement, but these days there are lots of libraries out there that do implement it. When I teach OAuth at the XML Summer School, I always recommend people use existing libraries if possible, to let others do the hard work of debugging all the little details. Another thing I recommend is to get the O’Reilly book “Getting Started with OAuth 2.0” (full disclosure: they sent me a review copy) to understand the concepts. You need to know about various types of tokens and credentials, and how they fit into the multi-layered authentication/authorization protocol dance for the different use cases. Once you have a decent understanding of the concepts, then go and read the actual specification for the details. The specification has lots of information in it, but it’s immensely easier to understand if you already know how the pieces fit together, and that’s where the O’Reilly book is well worth reading.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



/* ]]> */