Blogging about the password anti-pattern, finally

Here's a basic rule of account security: you should never give your login details on website X, to a form on website Y. And here's a basic rule of etiquette: if you're running website Y, you should never ask people for their login details on website X. Well, you can do so, but only if you're happy about those same users giving their login details to your website Y to miscellaneous sites A, B, C and D.

I realise I'm late to the party with this---to the blog-about-it party if not to the read-about-it-and-nod-furiously party---but here's a few choice quotes on the matter:

Jeremy Keith on "the password anti-pattern":

... Asking users to input their email address and password from a third-party site like GMail or Yahoo Mail is completely unacceptable. Here’s why: It teaches people how to be phished....

More from Jeremy Keith, about a specific instance of anti-pattern abuse:

... The second step of the process involved handing over your Twitter username and password. This request was dutifully obeyed by the eager geeks.

Muppets.

This is a classic example of the password anti-pattern. And this time it bit the willing victims on the ass. My Name Is E used the credentials to log in to Twitter as that person and post a spammy message from their account....

Jeff Atwood:

... I'm sure Yelp means well. They just want to help me find my friends, doggone it! But the very nature of the request is incredibly offensive; they have effectively asked for the keys to my house in order to riffle through my address book....

... What happened to the fundamental tenet of security common sense that says giving out your password, under any circumstances, is a bad idea?

Simon Willison, in a comment on Jeff Atwood's post:

This is known as the password anti-pattern. As of a few days ago, it is completely inexcusable - Google, Microsoft and Yahoo! all provide address book APIs which allow sites to request your permission to scrape your address book without needing to ask for your password.

Brian Oberkirch, on how if you implement the anti-pattern you're slowly killing the open-social web:

... Please stop just thinking about yourself. When you ask people for their login and passwords for other services, you are fucking things up for the rest of us.