On the Twitter password change page you'll find the following notice:
Note: If you have trusted a third-party Twitter service or software with your password and you change it here, you'll need to re-authenticate to make that software work. (Never enter your password in a third-party service or software that looks suspicious.)
There are so many things wrong with this note I hardly know where to begin. First, who are these third parties? A search quickly reveals that there are dozens. Many allow you to pull tweets from a blog or Facebook or (insert laugh here) improve your Tweet productivity. Many are free. Of course, this is where the matter of trust comes in. Few things in life are free, and many free online services translate to "we won't charge you so long as you agree to let us track you and mine your activity". On what basis should you trust a third-party Twitter service? Well, start with the Privacy policy, and if you can't find one, be suspicious.
Speaking of suspicious, exactly how does following Twitter's guideline "Never enter your password in a third-party service or software that looks suspicious" help you avoid account compromises? Avoiding suspicious software and services is so easy a caveman can do it. Avoiding convincingly similar software is another skill set entirely, and one that millions of users have yet to master.
So here's a suggestion for Twitter. Change the note! I suggest the following:
Note: THINK CAREFULLY before you trust a third-party Twitter service or software with your password. Generally, sharing passwords is a VERY BAD IDEA, especially if you care a whit about your privacy. If you insist on violating this important rule, please Please PLEASE use UNIQUE passwords for these connected applications, and for goodness sake, DON'T USE THE SAME PASSWORD YOU USE FOR ONLINE BANKING! Oh, by the way, if you change your Twitter password, you'll need to re-authenticate to make that software work. Oh, and one more thing: Always be suspicious of ANY form that asks for a password, whether it looks suspicious or exactly like the one you're familiar with using. Double-check the URL you are visiting. When in doubt, type it manually, OK? OK...
Ineresting article. I'm always careful where I enter my passwords but some times you forget and get caught out.
Posted by: Borellus | Tuesday, 03 November 2009 at 12:29 PM