Jonathan Stark

The so called password anti-pattern is cropping up in an ever increasing number of applications. The password anti-pattern exists when a third party website or desktop/mobile application asks you for your login credentials for a different application.

For example, let’s say I decide to try out a new email client on my iPhone. In order for it to download my messages, I’m going to have to give it the login information for my gmail account. What if the application developer is a hacker? He could easily have his application send my username and password to him without my knowledge.

Think about this for a sec: What could a hacker do if s/he could log in to your email account?
- Impersonate you to your clients (i.e. “Hey Bob – I misplaced the login creds for the database server. Could you resend? Thanks!”).
- Search through your archived messages for words like “password”, “account”, etc.
- Reset your passwords for all your online services (i.e. Hacker goes to Facebook, clicks on Forgot Password, enters your email address, and poof! A new password shows up in your compromised inbox).

Maybe worst of all, a smart hacker will not do anything that would alert you to their presence. Some stranger could be checking your gmail account right now and you’d never know it.

In the vast majority of cases, the password anti-pattern is employed to make our lives easier (e.g. “Don’t want to retype all of your hotmail contacts in yahoo? Just give us your password and we’ll import them for you!”) and although people are working on better solutions, there is currently no reasonable alternative. In the meantime, I fear that people are going to get so used to sharing their credentials that they will eventually doing so without thinking twice.