Ah, what an ego-boost, you can now display your Twitter rank .. I mean your Twitterank. All you have to do is enter your Twittter userid and password:
How nice … but perhaps a bit dangerous?
Twitterrank is a vast conspiracy I created to steal all of your passwords and shame Twitter into OAuthing. And to make you look vain.
Or not … here’s some clarification from the Twitterank blog:
No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.
TechMeme is ablaze with the discussion whether Twitter users really became victim of a grand password harvesting scheme. Oh, well, so someone will chatter on your behalf? Unfortunately there’s a lot more to it, and I am surprised no-one has pointed it out yet:
Statistics show that over 60% of Internet users have a favourite set of login credentials and they use that single set across many systems. Yes, that may very well include, email, online banking, broker accounts! I know this sounds crazy – but we’re lazy (wow, that rhymes).
So whether Twitterank is really stealing your access info is almost secondary: take this opportunity to rethink your online security. Some of the options we all have:
- Use the same, or very few userid/password combos on all sites, so we can remember them without having to write them down or physically store them in any form. This may not have been that bad… years ago, when we all accessed less than a handful sites. With the proliferation of Web usage, this practice has become a time-bomb waiting to explode.
- Use some variation of the basic credentials, simple enough to remember the actual “algorithm”, i.e. some characters from the site name combined with your own “standard” keywords. The benefit is that you use different credentials on every site (which you probably would not remember, but can re-construct every time), and still don’t need to record all the passwords. The weakness is that once the bad guys get hold of two-three sites, they can pretty much figure out your simple algorithm.
- Use different credentials on every site, preferably strong ones. The benefit is obvious, very secure, but it would be impossible to remember, so you would need to record them somewhere, whether on paper or electronic form, which itself is a huge security risk.
- Use different, strong credentials, and use a “password manager” system. There have been a number of client (PC) based solutions, or ones that code your information on a USB stick, but I don’t want to depend on anything tied to a physical location/device. I am experimenting with Web-based solutions, but am not fully convinced. Could it be OpenID or a dedicated system like PassPack? But what if your info there gets compromised, and exposes everything?
With that, I’d like to turn this over to the security experts – we have a few here @ Cloudave, and I suppose quite a few more amongst our readers). What do you think? What’s the ideal Web-login policy?
- Gullible Twitter users hand over their usernames and passwords – did you get your Twitterank yet?!
- Is Twitterank Ranking Your Popularity Or Stealing Your Password?
- Twitterank Can Have My Password, No Questions Asked
- Sheep Line Up in
Perfect Twitter Formation
a social engineering phishing nightmare
- Twitterank Creator Speaks
- Just because you’re a Twitterati doesn’t mean you’re smart about security
- How easily do you surrender your password?
- Bad Form: 61% Use Same Password for Everything