Password safety – saved by Twitter OAuth


The news is finally out as to how worried users need to be over the hack I reported last week. Dharmesh Shah blogged on the lessons he learned from the attacks on his site.

It turns out that the biggest thing that saved users of’s service from potential compromise of their passwords was Grader’s choice to use OAuth, a Twitter authentication API. In my “12 tips of Christmas – A safer Twitter for 2010” blog post last December, I explained the importance of using only those web-based Twitter tools that utilize OAuth.

While it may have caused embarrassment for Grader users to have sent spam messages, their credentials were never compromised and this enabled Twitter and Dharmesh to work together to put an immediate stop to the abuse.

This is a great example of why it is important to not disclose your passwords to even trusted third parties. Dharmesh brought attention to this in his blog: “Given that many people use the same username/password on multiple websites, this could have been very dangerous.”

Using separate passwords for every site can be an enormous burden, considering how many things require unique credentials these days. I have over 150 different sets of credentials stored in an encrypted vault. I couldn’t possibly remember them all.

Many users say “Yes” when prompted by their browsers to attempt to store unique passwords for every site. There are two problems with this: One, there is no synchronization between their home use of their accounts and the workplace. Two, neither Firefox nor Internet Explorer stores passwords in a secure manner by default.

Firefox offers the ability to set a master passphrase for your password store, which will encrypt it using 3DES encryption. You can set this option under Tools -> Options -> Security -> Use a master password. To my knowledge Internet Explorer does not offer this option.

Firefox settings

Why is this important? Many types of data-stealing malware (like Koobface) can ship off your stored password file to the attacker and they can easily obtain all of your credentials if they’re not encrypted. Third-party tools provide a much simpler way to manage this situation.

Companies should consider licensing password vault applications no different than they used to purchase copies of WinZip. If we want our users to practice the security policies we preach, we must make it as easy as possible. Tools like LastPass for Windows, Mac, and Linux and 1Password for OS X can securely store and synchronize passwords that are unique for every use. Although’s breach did not disclose our passwords, odds are the next one will.

Image of padlock Creative Commons licensed from Thomas Stromberg.