The Password Anti-Pattern
From Social Patterns
The user is asked to give the site login names and passwords for another site in order for the first site to access address books, connection lists or other data kept on the second site.
- Don’t use this pattern when you want to allow a user to grab friends and contacts from another site.
- Use this pattern if you want to teach your users how to be phished.
- Use this pattern to discourage adoption of open social portability standards.
- Access to third-party data should require authentication at the third-party site, regardless of messaging that says you won’t keep the user name and password.
- Utilize an authentication layer service such as Oauth to discourage phishing.
- Utilize OpenID to allow users to control who has access to their authentication data.
- Users should have access to their data and should be allowed to bring it from one site to another. Social sites shouldn’t propagate bad behavior by teaching users that it’s ok to give any site their user names and passwords for all the sites to which they belong.
- Even though the process is becoming more and more prevalent and generally very easy to implement, this interaction behavior is an anti-pattern for several reasons.
- The process violates the Terms of Service of many of the third-party sites.
- By encouraging the user to freely give their username and password away, social sites are teaching users how to be phished.
- Alternatively, social sites should be adopting open technologies and protocols like OAuth and OpenID that allow authentication for the third-party site to happen on the third-party site.
- OAuth is “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” In other words, an open technology that allows sites who want a user’s data the ability to access that user’s data in a safe way that doesn’t require the user to throw their names and passwords all over the internet. The actual access happens on the third party site where the data is stored and is under their control. AOL, Yahoo, and Google have all agreed to support OAuth, so there should be no reason to perpetuate this anti-pattern in the coming years.
As Seen On