Is it better (more convenient or secure) to provide users with a lost username or password via direct message on Twitter rather than via email?
views:
372answers:
9
+12
A:
I really don't want sites throwing my username and password over Twitter.
No thank you!
eskerber
2009-07-14 17:09:13
via direct message...really email isn't the secure either...if your a system admin, then you can read somebody elses email.
leeand00
2009-07-14 17:10:47
But Twitter is out there for the world to see. It's a much lower level of trust.
GalacticCowboy
2009-07-14 17:12:50
However when you went to get it I guess it would be over-the-air if the connection wasn't secured...yeah, bad idea...
leeand00
2009-07-14 17:12:52
via direct message is also insecure. In fact, sending passwords using any medium at all is insecure!
AlbertoPL
2009-07-14 17:13:01
Please don't do this.
Byron Whitlock
2009-07-14 17:14:37
It is as secure as sending it over email. If you generate a new password and then send it to the user via dm only the user can read it. And yes the user can access twitter in an unsecure way over an not encrypted connection. But you can't assure that somebody uses an encrypted connection to access his mail either. In fact it could be more secure because you know that only twitter admins can intercept the message and no admin reading the mails from his users.
Janusz
2009-07-14 17:20:04
+4
A:
It is as secure as sending it over email. If you generate a new password and then send it to the user via dm only the user can read it. And yes the user can access twitter in an unsecure way over an not encrypted connection. But you can't assure that somebody uses an encrypted connection to access his mail either.
In fact it could be more secure because you know that only twitter admins can intercept the message and no admin reading the mails from his users
Janusz
2009-07-14 17:35:13
+25
A:
You don't supply lost passwords at all (mostly because you can't, because if you're doing it right you don't store passwords in plain text anyway).
You facilitate a reset-feature that allows the user to, with the help of for example a secret question or simply an activation link via email, change their password.
J. Steen
2009-07-14 17:38:41
+1: If you have the ability to send me my password in plain text then you are doing something horribly wrong!
Jon Tackabury
2009-07-14 17:52:34
Not that Microsoft is the benchmark for security, but asp.net offers a reset password feature out of the box that emails the password...
Greg
2009-07-14 17:57:10
Okay so sending the lost password link as a direct message. Seems to me like it would be faster.
leeand00
2009-07-14 18:10:32
Well you can configure it to store passwords with reversible encryption or not because somehow that's a requested feature, but as far as I recall it the default is definitely off?
Oskar Duveborn
2009-07-14 21:34:16
+3
A:
Security aside, there's also the significant flaw that you can't send password reset information, password reminders, or anything else to your user via direct message if he's not following you on twitter. Unless your site is itself a twitter client, then the odds are pretty good that a substantial fraction of your potential users won't be particularly interested in following you and are likely to resent being told that they must follow you (or at least follow/change password/unfollow) if they want to use your site.
Update: I forgot to mention... If you want to tie your user authentication functionality to twitter, then why not just use Twitter OAuth instead of maintaining your own password store at all? It works quite well (barring the fail whale), is very quick and easy for the users, and doesn't place any requirements on who they follow or don't follow.
Dave Sherohman
2009-07-14 17:48:19
A:
Secure your passwords and don't send anything by email or twitter. Lookup MD5 and other algorithm to do this.
Wikipedia says:
In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.
I hate it when I see a website storing my password without encryption... and if the website started sending me my password via twitter I'd break something.
marcgg
2009-07-14 17:51:14
+3
A:
Start by reading this post: What is the best “forgot my password” method?
This will get you started in the right direction.
Zaffiro
2009-07-14 17:56:35
A:
Instead of sending passwords verbatim over any insecure channel, send a nonce instead. Such as: a one-time URL the user clicks, verifies personal info, then is forced to choose a new password.
This way, if the message is intercepted, no damage can be done without also hacking the personal questions.
spoulson
2009-07-14 18:03:20
+2
A:
I want my password sent by UPS, FedEx, or USPS when I forget them.
Punish the user.
Bad user.
samoz
2009-07-14 18:31:20
+1
A:
Enough people have pointed out that you shouldn't be storing passwords in plain text anyway, so I won't repeat that.
But if you're sending a one-time-use password-reset link as a Twitter DM, then you have to take into account that the user might receive that message on their mobile phone.
Then you'll have to make sure whatever that link points to is set up to display correctly on mobile phone web browsers.
Then you'll wish you just stuck with email.
lawrence
2009-07-14 20:27:49