So, I’d like to try a little experiment. I’m giving myself “permission” to write those thoughts out as quick, short little blog entries. I have no idea what’ll happen, but I’ve sat on my hands long enough and it’s time for a change.

Related posts:

1. A question to people reading my blog at Blogger: why?
2. AOL starting to “get” blogs, offers AOL News: Blog Zone
3. What makes a website a blog? Are comments necessary?

In the bad old days of Twitter only allowing HTTP Basic authentication, in order for third-party applications to access your Twitter account, you had to hand out your username and password. While this “worked” it wasn’t ideal. Why? Well, any time you changed your password — either to prevent an application from continuing to have access to your account, or out of good “security hygiene” practices of regularly changing your password — you had to go back to every application that you wanted to continue to work on your behalf. If you use more than a few applications, this quickly became a tedious process as you can imagine. Again, this was less than ideal.

Eventually, Twitter rolls out OAuth, an open implementation of a cross-service authorization scheme. Each application now requests authorization to act on a user’s behalf, and such access is now manageable per application rather than an all-or-nothing as it were with HTTP Basic auth. This is a huge win as this decouples the user’s Twitter credentials from a third-party application’s privileges to act on behalf of that user. You can now change your Twitter password to maintain good security hygiene without the inconvenience of having to update every third-party application with your new password. You can now revoke access from a single application without having to, again, update every other third-party application with your new password.

Terence, sadly, mistakes this radical improvement as a defect and a security flaw. What’s truly sad is that Terence even knows about the Twitter OAuth Connections page where one can de-authorize individual applications, yet he still missed the whole point and benefit of OAuth in the first place. How?

He suggests that “Changing a password should – in the minds of most people – mean that you need to re-enter your password even if you have previously authenticated yourself.” Is this true? Is this what “most people” (that means YOU) think? Please, let me know in the comments below if this is truly the case when you authorize an application using Twitter’s OAuth. If this is true, then the problem still isn’t what Terence suggests. It’s a matter of user education. Read this entry again and absorb the goodness that OAuth provides over HTTP Basic auth. for third-party applications. Do not fall victim to Terence’s FUD.

Related posts:

1. Guess it’s time to wait for OAuth 1.1
2. How to “switch accounts” in Twitter Karma
3. A few words can mean a whole lot