Lobby against the password anti-pattern

Back in January, I wrote how it’s time to criminalise the password anti-pattern. The password anti-pattern is where service A requires you to enter your service B username and password so service A can act for you with your B service. It teaches you how to be phished, and the only way to resolve it is to change your password. It’s also no longer necessary as lots of sites now have OAuth support, including Twitter.

For example, popular service TwitPic requires you to enter your Twitter username and password in order to access the service. This is an example of the anti-pattern that needs to be lobbied against.
Twitpic - Share photos on Twitter

A service that does it right is 140 Mafia, that uses the Twitter implementation of OAuth – it allows you to link the two services together with your permission without having to give over your service B password to service A.
Twitter oauth 140 mafia

Tom Morris now maintains a list of services on Twitter that catalogues services that continue with this anti-pattern. Encourage them to switch to the open standard OAuth or just avoid ‘em. For Data Portability to exist, service providers have a responsibility to be mindful of your privacy – and they should not insist on you handing over your password to other services.

Comments are closed.