07-03-2014, 10:06 AM
@Psychotime Cool. I'll definitely add an email/password login box - this weekend hopefully.
It's interesting to me to hear your objections, because coming from a very technical background I'm aware that I have absolutely no access to your password.
When you click, say, the twitter button, it sends you off to twitter's website to ask for your permission. If you say yes, in twitter, it sends you back to me with a token from twitter that says you said ok. Your username and password never even pass through one of my web pages, let alone my server, which can be verified by the checking urls of those pages.
I personally choose to use such options when available to me because I don't want another insecure server holding a copy of my (hashed) password and username, waiting to hear (or worse, not hear) that it's been compromised. So I trust two or three large services to store that for me on the assumption that they'll be better at security than most small service providers, and if they have a breach that I'll definitely hear about it.
There are services that behave like you describe though, the one that comes to mind is Spotify. Those are truly dangerous, and yeah, they're just awful from a security standpoint.
I really am grateful for you explaining your reluctance though. I'll make sure to add the email/password box, and I'll try to convey better that I won't actually be asking for your passwords for other services.
It's interesting to me to hear your objections, because coming from a very technical background I'm aware that I have absolutely no access to your password.
When you click, say, the twitter button, it sends you off to twitter's website to ask for your permission. If you say yes, in twitter, it sends you back to me with a token from twitter that says you said ok. Your username and password never even pass through one of my web pages, let alone my server, which can be verified by the checking urls of those pages.
I personally choose to use such options when available to me because I don't want another insecure server holding a copy of my (hashed) password and username, waiting to hear (or worse, not hear) that it's been compromised. So I trust two or three large services to store that for me on the assumption that they'll be better at security than most small service providers, and if they have a breach that I'll definitely hear about it.
There are services that behave like you describe though, the one that comes to mind is Spotify. Those are truly dangerous, and yeah, they're just awful from a security standpoint.
I really am grateful for you explaining your reluctance though. I'll make sure to add the email/password box, and I'll try to convey better that I won't actually be asking for your passwords for other services.