Ah, what an ego-boost, you can now display your Twitter rank .. I mean your Twitterank. All you have to do is enter your Twittter userid and password:
How nice … but perhaps a bit dangerous?
Twitterrank is a vast conspiracy I created to steal all of your passwords and shame Twitter into OAuthing. And to make you look vain.
Or not … here’s some clarification from the Twitterank blog:
No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.
TechMeme is ablaze with the discussion whether Twitter users really became victim of a grand password harvesting scheme. Oh, well, so someone will chatter on your behalf? Unfortunately there’s a lot more to it, and I am surprised no-one has pointed it out yet:
Statistics show that over 60% of Internet users have a favourite set of login credentials and they use that single set across many systems. Yes, that may very well include, email, online banking, broker accounts! I know this sounds crazy – but we’re lazy (wow, that rhymes
).
So whether Twitterank is really stealing your access info is almost secondary: take this opportunity to rethink your online security. Some of the options we all have:
- Use the same, or very few userid/password combos on all sites, so we can remember them without having to write them down or physically store them in any form. This may not have been that bad… years ago, when we all accessed less than a handful sites. With the proliferation of Web usage, this practice has become a time-bomb waiting to explode.
- Use some variation of the basic credentials, simple enough to remember the actual “algorithm”, i.e. some characters from the site name combined with your own “standard” keywords. The benefit is that you use different credentials on every site (which you probably would not remember, but can re-construct every time), and still don’t need to record all the passwords. The weakness is that once the bad guys get hold of two-three sites, they can pretty much figure out your simple algorithm.
- Use different credentials on every site, preferably strong ones. The benefit is obvious, very secure, but it would be impossible to remember, so you would need to record them somewhere, whether on paper or electronic form, which itself is a huge security risk.
- Use different, strong credentials, and use a “password manager” system. There have been a number of client (PC) based solutions, or ones that code your information on a USB stick, but I don’t want to depend on anything tied to a physical location/device. I am experimenting with Web-based solutions, but am not fully convinced. Could it be OpenID or a dedicated system like PassPack? But what if your info there gets compromised, and exposes everything?
With that, I’d like to turn this over to the security experts – we have a few here @ Cloudave, and I suppose quite a few more amongst our readers). What do you think? What’s the ideal Web-login policy?
Related articles:
- Gullible Twitter users hand over their usernames and passwords – did you get your Twitterank yet?!
- Is Twitterank Ranking Your Popularity Or Stealing Your Password?
- Twitterank Can Have My Password, No Questions Asked
- Sheep Line Up in
Perfect Twitter Formation - Twitterank,
a social engineering phishing nightmare - Twitterank Creator Speaks
- Tuttle/Buttle
- Just because you’re a Twitterati doesn’t mean you’re smart about security
- How easily do you surrender your password?
- Bad Form: 61% Use Same Password for Everything
This is the first time I have ever come across Twitterank. It does seem like a tempting offer – I always like to know how ‘cool’ I am considered in the social networking sphere but you bring up perfect points in this post-
A lot of people wouldn’t think twice about putting their credentials into a site (legit or not) and mostly because the information they would share, they share with 60% of other sites as well. NOT a good thing.We do need to think about how the internet is evolving and realize that what was once ok (reusing passwords) is no longer.
You mentioned Passpack – I work for Passpack : )
I try to diffuse the importance of poor password habits (just like these in your post) – but I though you may be interested in having a bit more security info on Passpack, so you can be sure that your info is at least 149 trillion times safer in Passpack than it is without:
http://tinyurl.com/48qfxb
(a post from our blog)
Louise
Yeah, it’s true! There are idiots out there. And thanks to them we get blackhole blacklisting and such. But why should I care about some moron who uses a single password for their accounts. It’s nice to tell them “don’t use your same password” just like we tell people “wash your hands after you use the potty”. Someone doesn’t wash and we all get sick. It happens. Is there a Final Solution? Perhaps. Is it ethical though?
You can use MashedLife.com to achieve that. I’m amazed with their useful functions and pushing simplicity, usability and security to the extremes.
Most importantly, it is open-sourced, and is compatible with all other password utilities you name it.
2 thumbs up on mashed life.
Best