It’s 2009 and people are still, well, naive. Just read a post by Robert Scoble about how Twply – apparently a service that sends replies you get at Twitter to your email – is using usernames and passwords for its users to send twitter messages with the users’ account (and of course, keeping that data to do as they please in the future). There’s 3 parties to blame about this whole thing:
2) Twitter: because they’ve been sitting on their OAuth implementation for over a year now. Essentially, it would give users a way to provide external services with temporary access to the account, without actually giving the entire account away. This would provide a safe way for services to communicate without the user actually being in jeopardy. Twitter folks, what the hell?
3) Twply: because they’re violating trust and being shady. Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied “yes they are“. Well, they can’t be or they wouldn’t be sending them to twitter, would they?
The subject of trusting web applications and services with your data is complex and tricky. But there’s definitely apps out there that make it really clear that they’re shady. Problem is, naive users (looking for the latest bling because they see pundits mention the service) will still be lured in.
: To put it simply, let’s say you give TWply your password, and they encrypt it. If they do encrypt it properly there’s no way to reverse the process, which means they can’t authenticate as you with Twitter (because instead of sending Twitter your password, they would be sending the encrypted version of it, which would be invalid). It is 99.999% safe to assume that these people are lying, here.