What is Digg?Sponsored by Best Buy
Killer Gift For A Movie Buff view!
bestbuy.com - Insignia Blu-ray player instantly streams Netflix movies right to your TV & comes with a free disc.
23 Comments
- inactive, on 05/04/2009, -0/+18FTA:
"Since we had people's passwords we could take full control of their accounts, but people don't like it when someone else uses their account to do something.""
No *****? - peterjmag, on 05/04/2009, -0/+12FTA (about My Name is E's autotweeting): "Unfortunately, we forgot to disable the feature before we launched."
Yeah, I'm sure you just "forgot" to disable an "experimental" feature that allowed you to advertise your site on thousands of people's profiles, at no cost to you. - Rogor, on 05/04/2009, -1/+12The solution to this of course is not to give out your "other" account passwords saying that however the problem of human remembered passwords seems to be coming to head, Ive always wondered how many users on my site are using the same password they use for their email address. I only save the hashed version of their password but many sites save the passwords as text and could easily try, the problem comes down to human limitations, you just cant expect the "average" human to remember very much and especially not random text etc for each account they have. In the end I can see everyone using electronic tokens or the free visual version http://www.passwindow.com to generate one time passwords every time they need to login.
- Nephersir7, on 05/04/2009, -3/+12Twitter SUCKS!
- robbob, on 05/04/2009, -0/+7this is my biggest concern with sites like Mint.com
- LonelyTylenoL, on 05/04/2009, -0/+5No *****.
- nchankov, on 05/04/2009, -0/+3I wrote an article some time ago, that TLA hold the passwords in plain text, because on request I've received my old password instead of random new password, I am sure that many other sites doing the same.
- RBobby, on 05/04/2009, -2/+5I thought this was going to be about the old 70's Password game show. I was expecting something along the lines of the $64,000 question scandal. :[
- calidin, on 05/04/2009, -0/+2People are funny. That's like giving a hobo the keys to your house in exchange for them watering your plants. Then you act surprised when root through your fridge and borrow your car.
Here's a life hint that extends to the web: If you give away your privacy and control then don't act surprised when it's used without your permission. We have locks for a reason. We have passwords for a reason. And no, the company/third party will not feel bad for selling what you thought was sacred and protected.
FTA: "We were surprised at the response – it was a good lesson. Since we had people's passwords we could take full control of their accounts, but people don't like it when someone else uses their account to do something." - MothBoy, on 05/04/2009, -0/+2My thought exactly. I don't understand why anybody would give access to all their finances to a third party like mint.com. It seems patently stupid, yet people are perfectly happy to do it in exchange for a little convenience.
- kanojo1969, on 05/04/2009, -0/+2Eve online has a similar dilemma- there's a ton of 3rd party apps and websites that can do very cool things for you, but giving out your name/pass for eve is against the EULA.
They decided to implement an external API, and they provided two levels of access. You go to their website, log in, and generate either a 'limited' api key, or a 'full' api key.
The limited key lets the holder access basic info like your wallet balance and the skill you are training. The full key exposes more info like your wallet transactions and all in-game assets.
This is like Facebook letting you create two different logins. One is your normal one that gives full access. The other is a special login that only allows reading the addressbook and doesn't allow writing anything at all. Ideally it would let you customise these if you wanted so you can reveal just what each specific 3rd party site needs.
This is not even slightly challenging, technically. OAuth, which is yet *another* service you would have to create an account for, doesn't offer anything any better than that, does it?
In short, the sites can make mechanisms themselves to do this right, it's pathetic that they do not. My own work is in corporate intranet web applications and they are all more secure than these public sites, it's ridiculous. - Amnesia10, on 05/04/2009, -0/+2I used to use the same two passwords for practically everything. Though I recently bought myself a password manager and have routinely changed every password to something made up of randomly generated numbers and letters. So they are now all different. Now my router has a large randomly generated password, as does my wireless network.
- bodger, on 05/04/2009, -0/+2The point is that the first party website should not be storing your password in plaintext - only a (salted) hash of it. When you log in, it hashes your entered password, compares the hash with what's on file and if they match gives you a temporary session token. Your plaintext password is only very briefly used and never filed to persistent storage.
The third party websites don't have the ability to do this - they have to mimic you logging in each time, and so require your full plaintext password which they have to persist somewhere on their servers.
So it's not just about blind trust, you have to recognize that technically the whole security posture of these services is severely weakened. Technologies such as OAuth are designed to help mitigate these kinds of problems. - TheShad0w, on 05/04/2009, -0/+2Its not just that. Its a huge security risk. You're putting all your passwords into one location. With an account that has full access. This is crazy.
The proper way to do this is that these social networks need to open up an API with the ability to generate an client key for each external source that wants access. Next they need to set permissions per client key. This way your passwords are all sitting on one server just waiting to be hacked and you can limit what these kinds of sites do to your other accounts. - kanojo1969, on 05/04/2009, -0/+1I know, I read that and cringed at the audacity. What cheap *****. Why would you want to alienate your customers in the first experience they have with you?
- inactive, on 05/04/2009, -1/+2lol
- Petestreet, on 05/06/2009, -0/+1Top 5 stories on Digg right now are all about scams and people stealing information.
(Update) I am an idiot. I had clicked the tech category. Nevermind. - deema1, on 05/04/2009, -0/+1(whisper)
The password is...bench. - el_taco, on 05/05/2009, -0/+1wtf is TLA?
- LonelyTylenoL, on 05/04/2009, -3/+3Please Elaborate.
- WhaneTheWhip, on 05/04/2009, -2/+2Check the whois data for the site, if there is no data or if it set as "private" then simply do not sign up. Doing this won't guarantee you will not be victimized, but it will help tons. To check the site, just do a search for "Domain Whois", there are lots of free tools out there.
- kanojo1969, on 05/04/2009, -0/+0Hell, I'm not even comfortable giving that info to apps on my computer. Mint.com just doesn't even get a look in due to this problem. I can't beleive anyone uses it, it would take just one disgruntled employee and a bunch of people could be seriously *****.
- Cassanova, on 05/04/2009, -1/+1I thought the same thing at first, then I realized I do online banking, use ebay, use paypal, use scottrade, bought items from newegg and other online vendors. There are lots and lots of sites out there I have given by personal info to. It's all about trust. I trust those sites so I give them my info. Mint.com isn't some phishin site so it can probably be trusted. Just like how I use my credit card at the grocery store, but I would be hesitant to give it to a street vendor or something.
© Digg Inc. 2009
— Content created and posted by Digg users is