Twitter's account lockout vs API
August 02, 2009
Interesting case by Larko. He got locked out after he changed his Twitter password, but failed to input the new password into a desktop app that accessed Twitter using their API. And apparently Twitter thought that the app trying to the API with the old password is equal to someone bruteforcing the account, and locked him out.
What’s the right behavior in this situation? The safest would be to not force people input their Twitter password in 3rdparty apps to begin with. Use something like OAuth. Though, to be honest, I have not wrapped my head around OAuth and OpenID entirely, neither from UX nor security perspective. OAuth has been designed by a bunch of amateurs, not been subjected to any professional scrutiny as far as I can tell, and has had their share of security problems.
Assuming that we still keep the basic auth scheme where people input their credentials directly in third-party apps, the next best thing would be for the app to simply inform the user if they get “invalid credentials” response from Twitter, stop firing requests with the wrong password towards the API, and let the user input the correct password.