Prabath points out an important issue that has been bothering me for a long time.
There are such a lot of web applications nowadays that requests the users for their passwords for other applications. Of course they promise that those passwords will not be misused ... and oh yeah ... people do keep promises :P
What sort of a guarantee does those web applications give that the user's passwords are never leaked? Programmers make mistakes! And how can one be certain that there are no covert channels that may leak those password?
The answer is no once can ever be sure!
Another issue with this paradigm (or anit-pattern) is that it may become socially acceptable for one system to ask the user's authentication details of another system. This is extremely dangerous!!!... Why? ... Just think of how easy it will make it easy for one to phish now ... The attacker may obtain credentials of one system and now can easily trick the user to give up passwords his/her other accounts.
As Prabath points out it is really disappointing to see that this approach is promoted by most a lot of popular web applications.
No comments:
Post a Comment