Comments on: Trust, Twitter and Passwords http://nicktelford.net/2009/02/11/trust-twitter-and-passwords/ Just another WordPress weblog Mon, 21 Jun 2010 22:09:37 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Nicholas Telford http://nicktelford.net/2009/02/11/trust-twitter-and-passwords/comment-page-1/#comment-5 Nicholas Telford Wed, 11 Feb 2009 21:55:46 +0000 http://lazesharp.net/?p=29#comment-5 The FriendFeed system is much more secure than the plain text system, granted. However it does have the draw back that the user has to explicitly discover their "Remote Key". This is a concept that only really power users will easily grasp and overcomplicates the process. I prefer the LiveJournal method because you ask the user for the password once (on an SSL domain) then you get a challenge from LiveJournal. You then sign every API call with a hash of the challenge and password. The great thing about this approach is that you can easily store this hash without the worry of the password being retrievable. The FriendFeed system is much more secure than the plain text system, granted. However it does have the draw back that the user has to explicitly discover their “Remote Key”. This is a concept that only really power users will easily grasp and overcomplicates the process.

I prefer the LiveJournal method because you ask the user for the password once (on an SSL domain) then you get a challenge from LiveJournal. You then sign every API call with a hash of the challenge and password. The great thing about this approach is that you can easily store this hash without the worry of the password being retrievable.

]]> By: Daniel http://nicktelford.net/2009/02/11/trust-twitter-and-passwords/comment-page-1/#comment-4 Daniel Wed, 11 Feb 2009 21:39:02 +0000 http://lazesharp.net/?p=29#comment-4 Surely a simpler solution would just be to incorporate an API Key system whereby each user get's allocated a random string, their key. Both friendfeed and wordpress incorporate this method. Surely a simpler solution would just be to incorporate an API Key system whereby each user get’s allocated a random string, their key. Both friendfeed and wordpress incorporate this method.

]]>