Posted February 3, 2010 9:52 am by with 19 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

Do you use the same username and password across multiple web sites?

Then you’re not welcomed at Twitter!

That may sound like an exaggeration, but read this statement from Twitter, then you tell me if I’m exaggerating:

The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites.  Through our discussions with affected users, we’ve discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts.  While not all users who were sent a password reset request fall into this category, we felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account.  We strongly suggest that you use different passwords for each service you sign up for…

The front-end of this story is that Twitter is forcing many users to reset their passwords after it concluded that evil torrent sites were harvesting login credentials. Although, at least one person suggests that the issue goes beyond this.

Now, here’s the thing, BILLIONS of people use the same username and password across different sites. Just think about your parents–do you really think they could handle using a different login for each site that requests one? I think not.

Perhaps it’s time to rethink the “login.” Maybe Twitter et al could lead the way in developing a new system of authentication. One idea, ask users to provide their IP address and whitelist it. Any changes that appear to take place from a different IP–say the rapid increase of Twitter accounts followed–could be “rolled back” to a previous state–one that matches the whitelisted IP, perhaps?

I dunno. You tell me. Is there a better system for authenticating social networking users?

  • Blood Testing and Retinal Scans are the only way to go Andy.

    Anyone who says otherwise has no respect for the sanctity of our collective tweets 😉
    .-= Social Media Commando´s last blog ..Top 5 Ways to Motivate Your Online Marketing Team =-.

    • I’d add DNA testing and proof of a family tree dating back at least 10 generations! 😛

  • I don’t like the IP idea — I log into Twitter from many diff IPs and don’t want hassle of additional requirements based on diff IP. Chase and banks force you to receive a text code if you use a new IP to log in and for banks I find it tolerable (annoying but tolerable).

    Banks or some very trusted authority should develop consumer tools for universal ID. I know there are a few initiatives around that already. Don’t know what the biggest hurdles are but clearly most people DO use a single or very similar log ins and clearly it’s a safety problem.

  • Wow, IP validation is a BAD idea. one IP can represent thousands of people, and that’s not even counting the tor/onion crowd that use domain proxies… some for very important reasons (such as political activists from China).

    So alternative means? Hm. Quantum cryptography sounds promising…. j/k

    Here’s an idea – an anti password. A list of things that you would NEVER say, such as ‘viagra’. This list is personalized and controllable by you, and should you (or, I don’t know, Joe hacker) mention one of these words then the post is flagged, an email is sent to you and the account is locked out until you revalidate your credentials.

    Tricky to implement, but it has possiblities, I think.

  • Thanks for the ideas! Keep ’em coming!

  • @epc

    OpenID and InfoCards are an option, but OpenID as formally implemented is very nerdy, though there’s attempts with openID v2 to make it easier. InfoCards are built into Windows XP SP3, Vista and Windows 7 but regrettably due to their Microsoft connections haven’t caught on.

    • @epc

      Also see: which just launched today.

      Tying identity to an IP address is just a non–starter. Home broadband users frequently get DHCP assigned addresses out of a pool, there’s no guarantee that they’ll have the same address day to day (though the address likely resets when the router is rebooted). Large organizations tend to use a limited number of firewalls to connect to the internet, so 1000s of identities would end up mapping to one or two addresses (and then: what about someone who logs on from work during the day, and home in the evening. )

      The best solution is something like InfoCards or x509 certificates, where identity is something under the user’s complete control. But x509 certificates cost money and have never really taken off, even within enterprises. InfoCards have promise but again are shadowed by association with Microsoft.

      No solution will overcome the biggest weakness: people are all too willing to hand over their credentials for one service to another. Twitter is killing off basic auth for the API because, I’m guessing, it’s become just too much of a pain to deal with the people who keep losing their credentials for one reason or another. oAuth has its own problems but is far better to build an API ecosystem on than basic auth.

  • Why not have a system where you have a thumb drive device store all your passwords (external OpenID). Of course you would need a password for the thumb drive!

  • I think by IP would be a no – as others have said, I don’t just Tweet from one computer or location, and sometimes they might be shared computers etc. Maybe a series of ‘favourite’ set questions, and then when account activity drastically changes it can throw up a series of queries from that list…
    .-= Luci´s last blog ..Page Load Times – How much do they really affect SEO? =-.

  • The need for a universal authentication is probably way past due but it would be hard to implement as people will be less likely to trust any third-party tools for the task.

    Maybe what we need is an operating system-level personal dashboard that manages all our accounts for us (rather than just depending on browsers to remember log-ins). There are tools that do this but some of them have been compromised.
    .-= Michael Martinez´s last blog ..Offering SEO advice to Danny Sullivan =-.

  • Isn’t that the point of OpenID?
    .-= Robert Dempsey´s last blog ..State of the Internet 2009, an Image =-.

    • Doesn’t that make the problem worse? What if someone gets your OpenID credentials?

      • Good point on someone getting your credentials. However it does solve one part of the equation. Perhaps then back to your DNA testing answer 🙂

        To that point though, we might end up having IP addresses assigned to us by the government. Conspiracy theory sounding I know, but with the Craigslist killer and crazy parents causing the deaths of teen on MySpace, it is a possibility. Just like a SSN, you could have an IP. People could then steal and sell those too though.
        .-= Robert Dempsey´s last blog ..State of the Internet 2009, an Image =-.

        • Not if it was embedded in a chip in your head! 🙂

  • There’s a good blog on this topic from the NY Times at and some additional thoughts on the topic at

  • Admittedly I don’t know how open ID works so I could just be describing it here. What if there was just 1 login to a central web security site and from there your identity was authenticated for the duration of the surf, instead of each individual website having it’s own login. Each website that you would have logged into in the past would then cross reference who is visiting with this central security site (perhaps the IP address is recorded for the duration of the login). That way you can change IP and computer – kind of like a company workstation.
    .-= Rich Williamson´s last blog ..Top 10 SEO Resources =-.

  • Embedded RFID device which does realtime DNA fingerprint, sends checksum value to device you are currently using and to the web service in question to identify you based on a public key.

    In order to mitigate a potential ID thief from hacking off your arm that has the embedded RFID chip, we could deploy two RFID devices – one of which also checks for temperature and blood flow ; in theory the hacked off arm would quickly attain a significant temperature delta from the average body temp.

    Just a simple tech solution – ok, there may be little privacy and ethical issues, but hey…


  • What?

    I am “guilty” of using the same username and password to a lot of websites I access especially that I build links for different clients to a lot of social media, forums, blogs, emails, etc.

    I usually assign one username and password per website to be organized and that includes twitter.