The password anti-pattern and phishing scams: it's Twitter's fault

Twitter is aflame with tweets from users warning each other via retweets about a phishing scam that's currently underway. The scammers are sending DMs to Twitter users that read "hey! check out this funny blog about you..." and contain a link to a site that asks you to log in with your Twitter username and password.

Unfortunately, asking you for your Twitter username and password is also what many legitimate Twitter applications do, and have been doing, since Twitter apps first hit the scene.

Many people on Twitter, even developers, who should know better, are blaming Twitter application developers for asking users for their login details and thereby "teaching users to get phished". This is a myopic and unfair reaction that places the blame in the wrong place.

The party responsible for perpetuating the password anti-pattern and teaching users to get phished is none other than Twitter itself. Here's why:

The Twitter API only supports HTTP Basic Authentication. In other words, if you want to use the authenticated Twitter API methods in your own application, you have no choice but to implement the password anti-pattern.

And this is not going to change until Twitter rolls out oAuth.

In the meanwhile, stop blaming application developers and start putting the blame (and pressure) where it is deserved and where it can actually result in positive change: The only party that can change this state of affairs is Twitter.

Twitter, you must implement oAuth and you must implement it now.

In the meanwhile, expect more login details to get sold and more phishing attempts.