Little Black Hat

My friend at work sent me this interesting article about the password anti-pattern and I thought I would share it with you.

It’s called the password anti-pattern and it’s on Jeremy Keith’s blog.

Basically, new application frameworks like the Facebook api have created some unpleasant trends. The most significant trend is asking a user to enter their login and password to a site in order to access the user data. Jeremy contends that in doing so, we’re causing user’s to give away their login and password without thinking about it.

I urge everyone to not implement this feature into their applications. While your application may not be malicious, and your favorite application might not be malicious, someone else’s could be. We need to prevent the egregious breach of good security practice from becoming common place. As Jeremy mentions, there are alternatives out there. Google and Flick both have API’s that allow a user to authenticate without having them send you their login credentials. If you have control of the web services you are consuming with your application, you should consider implementing the same kind thing. In the long run, it will take longer. I think the advantages will outweigh the disadvantages in the end.

I pledge not to implement a feature like that on any site, even if it costs me a contract. Short term monetary gain is not worth perpetuating poor design to all internet users.