I have had a series of posts recently about various, supposedly responsible, Social websites asking for my username and passwords (email), and another post about not so trustworthy sites asking for Live Services passwords. I had resolved to only be concerned about sites that were clearly not taking advantage of the OAuth security pattern, however, it is quite difficult to explain to a layman if a site is using OAuth or taking short cuts of storing your password, logging in and doing some kind of screen scraping. I hope to address this here.

Why do we even need something like OAuth? Well if you are, like me, a user of the something like Live services, but you would love to be able to import all your contacts from a social network like LinkedIn. You have a couple of options, hope that LinkedIn allows you to export the contacts in some common format (csv, xls, etc) and also hope that Windows Live offers a compatible import solution … or … you need an Open secure API which both services can comprehend, vis-a-vis OAuth (I will not go into the details of the OAuth pattern, except to say that it overcomes the need to send user id and password with every request sent to a third party, like BasicAuth).

In short when a site is responsible enough to employ the OAuth open protocol you can gain access to secure areas (contacts, photos, etc) of other sites without spreading your password everywhere. A good example of this pattern can be seen at work in the Windows Live Services. I go through the steps of selecting the import process from LinkedIn, as shown below.

This is the really important part here! After clicking next I am redirected to the LinkedIn web site for authorization. What you should not be doing at this point is adding your LinkedIn credentials into the Windows Live site. This is always a bad idea! To be clear I trust both LinkedIn and Windows Live, I just do not believe they need the keys to each others houses.

Any system that teaches users that it is ok to put passwords from one site into another is really doing us all a disservice, this password Anti Pattern teaches people that it is ok to give away your password. This bad habit ensures that people will be more likely to be caught in Phishing scams the world wide web over. Many social networks have spread like this and LinkedIn is as guilty as any of them.

For me the design of this LinkedIn import page is really problematic. While it appears to redirect authentication for Windows Live and Yahoo,  for Gmail, AOL and the Others options it relies on you putting user names and passwords directly into the LinkedIn site.

I am sure that LinkedIn is being above board and responsible with my information (am I) but this pattern is doing the overall security of the web no good. They are teaching a whole generation of Social network users that this type of password sharing is ok.

What is more confusing is that AOL and Gmail appear to have OAuth implementations (AOL OpenAuth, Google AuthSub) yet LinkedIn seems to disregard this and teach bad habits to its users.

Hopefully in a future post I will go through some code that complies with the OAuth pattern.

I am a member of only one social network, and that is LinkedIn. Contrary to popular opinion I think it is a great way to get in touch with professional contacts both past and present and it really fills a gap that my email contacts cannot by itself. I actually got a hold of an old high school classmate who I knew was in the technology field.

I recently encouraged my wife to get in on the LinkedIn network, as we have recently moved into a new area, and she is looking for work.  I thought this could be another way to found out what is available in Central Ohio area. As she was getting ready to fill out the form we were confronted by this form that requested my email address and password. As much as I admire and even trust LinkedIn there was exactly zero chance of me providing them with the password to my email inbox.

This is like giving someone permission to get a a copy of my house keys because they need to fix the sink, it is just not going to happen. I mean really think about it, how many of your various online accounts can be reset via your email and password combination.

I would much prefer to type each email address by hand, which is exactly what we did. There must be a better way to do this kind of thing ... OpenID anyone!

I was watching NBA greatest games, Detroit vs Chicago. MJ went for 47 points and while I really enjoyed the game and the trip down memory lane I realized something was missing. MJ is still the greatest ball player I have ever seen, Joe Dumars was as classy and smooth as ever, Dennis Rodman was the hustle and rebound king, so what was it that was missing in the game. Then it hit me ... STATS!

I have grown so use to a steady stream of constant information on every single player. Not just team field goal and free throw percentage, but shot selections, and where a particular player hit and miss shots. Even the color commentators did not seem to have all the information that we have just grown a custom to hearing. Today we seem inundated with stats, and information, we can Twitter our lives away if we choose. Seemingly useless pieces of information are available for everyone to consume.

I prefer the NBA of yesteryear but I must admit I love my stats. I wanted to see how much MJ averaged vs every defender he faced on the pistons, and what he was averaging against the pistons during the 1989 regular season ... to 2 decimal places.

"The truth is rarely pure and never simple." - Oscar Wilde