2

Is it better (more convenient or secure) to provide users with a lost username or password via direct message on Twitter rather than via email?

Shog9
  • 146,212
  • 34
  • 221
  • 231
leeand00
  • 23,306
  • 34
  • 125
  • 265
  • 24
    And you're storing passwords in plain text because...? – Instance Hunter Jul 14 '09 at 17:09
  • Why downvote? Because you think it is a bad idea? – Janusz Jul 14 '09 at 17:15
  • Why closed? it is a ui question and i think it is perfectly fine to ask it... – Janusz Jul 14 '09 at 17:17
  • 1
    Agreed with Janusz. Lost password handling is a valid software development topic. – Dave Sherohman Jul 14 '09 at 17:21
  • 7
    What about everyone who doesn't use Twitter? – Welbog Jul 14 '09 at 17:40
  • @Welbog people who don't use twitter should be taken out back and put out of their misery. I don't use twitter, and I find the my life became insufferable the moment all my friends started using it =P – DevinB Jul 14 '09 at 17:55
  • Good question. Very bad idea. I hope you take the lesson "I made a bad mistake" instead of the lesson "people don't like me, so I'll ignore them". – John Saunders Jul 14 '09 at 17:55
  • Perhaps a better question could be "Should I send password reset credentials via direct message on Twitter?" – spoulson Jul 14 '09 at 17:59
  • @devinb - It'd be more insufferable if you *did* get it. Then you'd get interrupted on your phone any time one of them decides to change their status to "needs a nap". – T.E.D. Jul 14 '09 at 18:00
  • How is Twitter more convenient than email? If they have access to the internet for Twitter through whatever medium, then it is safe to assume that they have access to email as well. – ahawker Jul 14 '09 at 18:01
  • 3
    @devinb: I don't use crap like Twitter on principle. I find life to be perfectly acceptable without, much as life is acceptable without getting kicked in the face every Wednesday evening. – Welbog Jul 14 '09 at 18:05
  • 3
    I don't know how you people survive without a good Wednesday-evening face-kicking. It's like a reboot for my brain, clearing out all the cruft i've read on twitter... – Shog9 Jul 14 '09 at 18:08
  • FWIW, Twitter is an alternative to email. Sending someone a DM will trigger an email notification. Just because you don't use it... – spoulson Jul 14 '09 at 18:11

9 Answers9

31

You don't supply lost passwords at all (mostly because you can't, because if you're doing it right you don't store passwords in plain text anyway).

You facilitate a reset-feature that allows the user to, with the help of for example a secret question or simply an activation link via email, change their password.

J. Steen
  • 14,900
  • 15
  • 57
  • 62
  • 7
    +1: If you have the ability to send me my password in plain text then you are doing something horribly wrong! – Jon Tackabury Jul 14 '09 at 17:52
  • Not that Microsoft is the benchmark for security, but asp.net offers a reset password feature out of the box that emails the password... – Greg Jul 14 '09 at 17:57
  • Okay so sending the lost password link as a direct message. Seems to me like it would be faster. – leeand00 Jul 14 '09 at 18:10
  • Well you can configure it to store passwords with reversible encryption or not because somehow that's a requested feature, but as far as I recall it the default is definitely off? – Oskar Duveborn Jul 14 '09 at 21:34
13

I really don't want sites throwing my username and password over Twitter.

No thank you!

Erik Kerber
  • 5,500
  • 5
  • 34
  • 56
  • 4
    via direct message...really email isn't the secure either...if your a system admin, then you can read somebody elses email. – leeand00 Jul 14 '09 at 17:10
  • 1
    But Twitter is out there for the world to see. It's a much lower level of trust. – GalacticCowboy Jul 14 '09 at 17:12
  • However when you went to get it I guess it would be over-the-air if the connection wasn't secured...yeah, bad idea... – leeand00 Jul 14 '09 at 17:12
  • 4
    via direct message is also insecure. In fact, sending passwords using any medium at all is insecure! – AlbertoPL Jul 14 '09 at 17:13
  • 3
    It is as secure as sending it over email. If you generate a new password and then send it to the user via dm only the user can read it. And yes the user can access twitter in an unsecure way over an not encrypted connection. But you can't assure that somebody uses an encrypted connection to access his mail either. In fact it could be more secure because you know that only twitter admins can intercept the message and no admin reading the mails from his users. – Janusz Jul 14 '09 at 17:20
5

It is as secure as sending it over email. If you generate a new password and then send it to the user via dm only the user can read it. And yes the user can access twitter in an unsecure way over an not encrypted connection. But you can't assure that somebody uses an encrypted connection to access his mail either.

In fact it could be more secure because you know that only twitter admins can intercept the message and no admin reading the mails from his users

Janusz
  • 176,216
  • 111
  • 293
  • 365
3

Security aside, there's also the significant flaw that you can't send password reset information, password reminders, or anything else to your user via direct message if he's not following you on twitter. Unless your site is itself a twitter client, then the odds are pretty good that a substantial fraction of your potential users won't be particularly interested in following you and are likely to resent being told that they must follow you (or at least follow/change password/unfollow) if they want to use your site.

Update: I forgot to mention... If you want to tie your user authentication functionality to twitter, then why not just use Twitter OAuth instead of maintaining your own password store at all? It works quite well (barring the fail whale), is very quick and easy for the users, and doesn't place any requirements on who they follow or don't follow.

Dave Sherohman
  • 43,013
  • 12
  • 61
  • 98
3

Start by reading this post: What is the best “forgot my password” method?
This will get you started in the right direction.

Community
  • 1
  • 1
Zaffiro
  • 4,578
  • 5
  • 32
  • 47
2

I want my password sent by UPS, FedEx, or USPS when I forget them.

Punish the user.

Bad user.

samoz
  • 51,592
  • 52
  • 138
  • 190
2

Enough people have pointed out that you shouldn't be storing passwords in plain text anyway, so I won't repeat that.

But if you're sending a one-time-use password-reset link as a Twitter DM, then you have to take into account that the user might receive that message on their mobile phone.

Then you'll have to make sure whatever that link points to is set up to display correctly on mobile phone web browsers.

Then you'll wish you just stuck with email.

lawrence
  • 8,129
  • 5
  • 36
  • 49
0

Secure your passwords and don't send anything by email or twitter. Lookup MD5 and other algorithm to do this.

Wikipedia says:

In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.

I hate it when I see a website storing my password without encryption... and if the website started sending me my password via twitter I'd break something.

marcgg
  • 60,067
  • 49
  • 172
  • 221
  • If you storing your passwords with md5 and without any salt then its pretty much the same as being in plain text. If you don't understand why lookup Rainbow Tables – Luis Aug 14 '12 at 15:40
0

Instead of sending passwords verbatim over any insecure channel, send a nonce instead. Such as: a one-time URL the user clicks, verifies personal info, then is forced to choose a new password.

This way, if the message is intercepted, no damage can be done without also hacking the personal questions.

spoulson
  • 20,523
  • 14
  • 72
  • 101