Web Apps and Password Security

By Chris Josephes
November 12, 2008

About twenty years ago, a retailer asked me for my PIN number. This particular record store did not fork over the money for a check verification service, so their only suitable alternative was to call every bank's automated phone system, pretend to be the customer, and verify the account balance before accepting the check. When the clerk behind the counter told me of his unique process, I politely asked for my check back and never visited that store again.

That was still a pretty easy call to make. First, I knew I could buy those cassette tapes at a different music store, and I knew from internal prejudices that the cashier I was dealing with didn't appear trustworthy (IE, he looked stoned and inattentive). It also helps that banks been telling their customers for years to never share a PIN number or write it down on the card itself.

When you deal with web sites, it gets harder to know who to trust. Some may have an enticing offer that nobody else has, or they may have a nice design to appear reputable. The verification tricks we relied on to judge people are not relevant when it comes to online dealings.

There's been a few interesting Tweets floating around regarding TwitterRank, which may or may not be harvesting passwords. Yes, it asks for your username and password, but there's no way to know what the program does with it after it gets sent. The source code of the main HTML page actually has this little quote:

<!-- <p class="">
I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, "Do I really want to find out my twitterank badly enough to give some random dude on teh interweb my account info?" And if that's not what you're asking yourself, shame on you. </p>

Either it's an honest comment regarding security, or it's that clever defense strategy of pointing out the potentials for abuse to put yourself above suspicion. The developer behind the application does clearly say that he needs the info to access information from the Twitter API. Once that part's done, there's some Ajax/Web 2.0 magic that makes a call to Google Analytics to check your page rank.

If you use a unique username and password for Twitter, your risks are minimal. The evil hacker can only get his kicks by pretending to be you and telling the world that you're sitting around in your underwear, watching Knight Rider. If that same username and password works for other accounts, you could be in big trouble.

But this isn't the first time Twitter users may have given their credentials out freely. If you were a Twitter user and a first year iPhone user, you may have used TwitterForIphone. That was another web application that also asked for your username and password. It was slightly more credible, because there was no way the application could work if the password wasn't supplied. But it should still have concerned users. That application was never developed by Twitter employees, it was not hosted on Twitter servers, and most users probably never realized it.

I'm not accusing either of these applications of breaching trust, because there's no way to be sure they're being dishonest. The only way to be sure would be to examine the environment the application is hosted on. The web server could be writing the form details to a file (without the web application knowing about it), or there could be a packet capture application running on the host. If the application is hosted on a cloud infrastructure, the developer may not even be able to provide a full guarantee of trust.

Without a sense of trust, applications like these should not be used. If they do provide a valuable service, and you still want to take the risk, use a username and password that doesn't tie into other services you're using.

If you're the author of a third party web application, ask yourself if receiving this information is worth the hassle. Even though you may not save the password that is passed along to you, you can't deny that you have become a steward to someone else's confidential data. Even if you are trustworthy, you're opening yourself up to a lot of potential headaches.

You might also be interested in:

News Topics

Recommended for You

Got a Question?