Comments on: A whole lotta Twitter phishin goin’ on

By: Jim Cottrell

Jim Cottrell — Wed, 07 Jan 2009 00:30:12 +0000

See your replacement of letters with numbers reminded me of the “Leet” alphabet or “Leetspeak.” (I forget were I first came across this. maybe wired magazine.) See: http://en.wikipedia.org/wiki/Leet
I guess some technology savvy people use this “Leet,” so one might want to avoid number substitutions that match “Leet” for a more secure password.

By: Wesley Fryer

Wesley Fryer — Tue, 06 Jan 2009 13:33:44 +0000

Alan: I agree, bank and credit card fraud/phishing is HUGE and Twitter exploits are not apparently taking place at a scale that even approaches that. The stakes and benefits of a Twitter hack is much different!

I also agree it would be an overreaction to not use any web-based twitter services. As I said, I’m still using Twitter Karma, and I love its functionality.

The issue this raises, however, is an important one. How should people evaluate the trustworthiness/viability of a website before entering Twitter credentials? Lee is on the right track that the provision of privacy info, info about the developers, etc. is a good sign. A website like twply which simply says (literally) “Your password is safe with us. No worries!” should be suspect. Beyond that, however, I think it gets fuzzy quickly trying to determine what website to trust.

I am not a developer with the expertise to fully explain and understand this, but I understand some twitter services are able to function without having users enter their passwords. Hopefully Twitter will develop a scheme of more secure authentication which will permit developers to not have to solicit passwords to offer new web services. The advent of more secure authentication schemes will not stop phishing emails, of course, or reduce the importance of using secure passwords and changing them frequently.

By: Alan Levine

Alan Levine — Tue, 06 Jan 2009 06:32:58 +0000

On the other hand, c’mon, it is not like twitter being compromised is anywhere in the ballpark of your bank account. I’m haivng trouble recalling all the places my twitter credentials are sitting- wordpress plugin (to send posts to twitter), facebook (for twitter to FB status), twitterfeed (to pull RSS content into twitter), tr.im a nice URL shortening service… If you are going to be that guarded and never put a username/password into a web site, well you might was well stay home and just knit sweaters.

That said, the twitter authentication appears to me as weak as that 2 month old stalk of celery in the back of my fridge. Compare how it deals with third party apps and more robust services like flickr (where you authneticate any third party use), Yahoo services, facebook apps, etc. Twitter’s security is very very thin.

By: Lee K.

Lee K. — Tue, 06 Jan 2009 05:38:31 +0000

There seems to be a lot of new sites popping up that don’t really give you too much information until you register. Nice, graphically appealing main page with a great tagline, but that’s it. For me, that’s a red flag right there.

I don’t think abandoning them all is the answer either though. If an app gives plenty of information, FAQ’s, contact information, etc. before you sign up, then I think it’s reasonable to think the site is ok.

I agree with you, though. We are very complacent when it comes to changing and using cryptic passwords. Do you know when most people put burglar alarms in their homes? Yep, AFTER they’ve been victimized.

This is a good wake-up call for us all.