Categories
Markel!

Logins: Roll Your Own

We know now that Mat Honan’s account compromise was due to bad policy at Apple for allowing account access, but this bit from Daniel Jalkut’s post about the situation holds true regardless:

One way to protect yourself is by declining to delegate authentication to third parties. When enrolling in a new service that offers Twitter or Facebook authentication, I usually go through the nuisance of creating a new account instead. That way I can choose a unique passphrase, and store that in my keychain. I prefer this to allowing numerous items to be implicitly added to my Twitter or Facebook “keychain.” Don’t put all your eggs in one basket, as they say. (Well, that’s what I’m doing with my keychain, but I am empowered to personally protect it and to back it up as I see fit.)

This is a strong argument against permitting multiple login “vectors” from social services to your web service. It’s a good idea to permit connecting to these services so your service can leverage things like contacts and posting access but a bad idea to permit authentication from these services.

And you should never use the same password twice across services. The last.fm/LinkedIn password craziness should have taught everyone that.