Stupid people use a password manager. They know they can't remember a hundred different passwords and so outsource the thinking to something reasonably secure. I'm a stupid person and am very happy to have BitWarden generate and save fiendishly complex unique passwords which are then protected by the app's MFA. Lovely!

But people who think they are clever decide to bypass that and use their own super-secret algorithm.

Every clever person's algorithm boils down to the same thing:

1. Have a single strong main password.
2. Add to it some information related to the service.

For example P@ssw0rd!_facebook and P@ssw0rd!_linkedin. On the surface, that's quite an attractive proposition. You remember one thing and you don't need to trust a password manager.

People who are extra clever use the same algorithm but wrap it in a command-line function which XORs both pieces of data, creates a SHA-512 hash, takes every prime numbered bit, converts to ASCII, and uses that to generate a password. Smart!

Either way, these algorithms suck! Let me explain why.

Password Leaking

One day, LinkedIn decides to LeakedOut its users' passwords. Anyone who can see P@ssw0rd!_linkedin can make a pretty good guess at your password for Facebook, banking, dating, and shopping etc. This means you now need to change every password that you have.

Even if you have used some amazing cryptographic powerhouse of an algorithm, there's still a chance you'll accidentally leak it or get so paranoid that you decide to invalidate it. Now you need to change your password on hundreds of sites.

Password Rotation

We all know that it is a bad idea to ask your users to regularly change their passwords - yet sites often persist in doing so.

How does your algorithm cope with this?

Do you have to remember that it is P@ssw0rd!_facebook_1 and P@ssw0rd!_linkedin_23?

Perhaps you'll write down all the suffixes and find a way to store them securely - like, say, a password manager?

Password Requirements

One site says "Your password must contain a special character and a number" another says "You can use any special character except % or ?" another refuses to let your password contain two consecutive identical characters, or it must start with a number, or it cannot be longer than 12 characters. Yes, I know password rules like this aren't sensible - but they are common.

How does your algorithm cope with that?

If you manually have to tweak a couple of dozen passwords generated by your algorithm, you are going to tie yourself in knots remembering the arcane requirements for each one.

Be Stupid - Use A Password Manager

Humans are stupid⁰. Humans get tired, forgetful, or sick. Our delicious meaty brains are not optimised to remember long strings of complex information or hundreds of rarely used combinations. Knowing that you know not is a super-power. It allows you to offload things that you don't understand to something more competent.

Pick a password manager. Secure it with a reasonably strong password and multi-factor authentication. Let it do the hard work of remembering.

WordPress mandated that I change my password. But was that really necessary?

Firstly, the password was uniquely generated by my password manager⁰. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account¹.

Secondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username and password, they can't get in without the MFA code².

So, should I change my password?

To understand this, it's worth considering the risks - both of action and inaction.

Changing a password isn't without risk.

• Perhaps some long-forgotten app or service relies on that password. If I change it, what will break?
• Do I trust my password manager to give me a strong password?
• What if the original email is a phishing attempt and I end up giving the baddies my credentials?
• Can I be bothered spending the time maintaining this old account?

As for the risk of inaction.

• Using my details, a miscreant might convince WordPress to disable MFA on my account.
• If there was a breach, my MFA seed secret might also have been stolen.

On balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much urgency in doing so.

• A strong and unique password means there is no risk of collateral damage to other accounts.
• The use of MFA adds an extra layer of protection which buys you time.

Thankfully, we've moved on from the outdated advice to regularly change your password. Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…

The future ain't what it used to be!

I'll admit, this weirded me out. Surely 4 is just far too short. Right? I think almost every 2FA code I've seen has been 6 digits long. Even back in the days of carrying one of those physical RSA fobs, 6 has been the magic number.

But why?

A 2FA code is meant to prevent a specific class of problem. If an attacker has got hold of something you are (your username⁰) and something you know (your password), you are still protected by something you have (your phone). Whether your second-factor is an app generating unique codes, a SIM card receiving SMS¹, or a cryptographic enclave producing signed transactions - it doesn't matter. The attacker can use your password but won't get the unique second code.

Suppose you received a 2FA code that was a single digit. Is that secure enough?

I think most reasonable people would say that wasn't secure. An attacker has a 10% chance of guessing the 2FA. If the system allows for a couple of retries before locking them out, they've got a 30% chance of getting in.

Similarly a 2 or 3 digit code probably doesn't provide sufficient protection.

A typical bank card PIN is 4 digits. So an attacker has a 1 in 10,000 chance of guessing. That might be slightly better as bank PINs usually don't allow repeated digits, palindromes, and a few other combinations.

I suppose that if an attacker had compromised tens of thousands of credentials, and the service allowed for a few incorrect entries, it is statistically likely that they might be able to compromise a few accounts if they were only protected by 4 digits.

As 2FA codes get longer, they begin to reach the limits of what humans can remember. Yes, I know you have an excellent memory - but not everyone does. And I know your fancy 2FA app automatically copies and pastes the codes - but not everyone does. We have to work to what the average user is capable of at a minimum.

I think most people would find it annoying - if not impossible - to remember a 10 digit one-time password.

If you're copying a code from your phone to type into your laptop, there's probably an upper limit on what people will be prepared to do. No one is going to manually transcribe 128 digits. And, if they did, they'd likely introduce several errors.

So the industry has seemingly settled on 6 digits. I've ranted before about the lack of standardisation in the OTP specification. But all of them seem to allow 6 - 8 digits.

I suspect 6 is the standard because that's what the original RSA SecurID tokens used by default.

An attacker would have to be incredibly lucky to randomly guess a 6 digit code - literally a one-in-a-million chance². Even if they had multiple retries, it's still statistically unlikely.

Once I logged in using my 4 digit code, I had full access to my account. But if I wanted to make any changes, I had to wait for another 2FA code to be sent. So I guess the effective length of code was actually 8 digits. Which seems excessive 🤣

Thoughts from the community

I asked my Twitter buddies for their wisdom:

Alex Hudson

@ealexhudson

@edent Depends on retry/lockout policy? 4 digits is enough for a bank card, but there is a physical token involved there - is the account as valuable as that, though?

Gut feeling is 6 digits is right for most circumstances though...

---

Rob Styles

@mmmmmrob

Replying to @mmmmmrob@edent 10,000 combinations is plenty to prevent guessing, and making the code longer doesn't add any additional protection if the message/device is compromised.

Making the code longer makes the usability exponentially worse when the code has to be re-keyed.

---

Ryan Cullen

@artesea

@edent Assuming just three retries before the code expires, 3 in 10,000 doesn't sound too bad. Also easy to remember whilst switching between the messaging app/notification shade and the app/website wanting it. I find with 6 I need to go back and forth. Worse with alphanumeric.

---

James Seconde

@SecondeJ

Replying to @mmmmmrob@mmmmmrob @edent For these sorts of reasons, this is why @VonageDev 2FA (Verify) lets you choose between 4 and 6 digits

---

Rhidian Bramley

@RhidianB

@edent Zero digits. More user friendly and secure to send a hyperlink with a single use time limited encryption key. No heed to compromise usability vs security. Win win.

---

Chris Hill-Scott

@quis

@edent Design System says 5 digits: design-system.service.gov.uk/patterns/confi…

On Notify 2% of attempts are miskeyed – people with dyslexia probably disproportionately affected.

4 would be better – used by Airbnb and Uber – but you need stronger technical measures in place to prevent automated attacks.

---

What do you think?

Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes.

In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle.

This presents something of a problem.

In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can remember the password to that. But logging in to the manager also requires a 2FA code. Which is generated by my phone.

The phone which now looks like this:

Oh.

Backups

I'm relatively smart and sensible. I regularly exported my TOTP secrets and saved them in an encrypted file on my cloud storage - ready to be loaded onto a new phone.

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in - you guessed it - my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

Perhaps I can use my MFA FIDO2 Key?

Oh.

Emergency Contacts

Various services allow a user to designate an "emergency contact". Someone who can access your account in extremis. Who do you trust enough with the keys to your digital life?

I chose my wife.

The wife who lives with me in the same house. And, obviously, has just lost all her worldly possessions in a freak lightning strike.

Oh.

Recovery Codes

Most online services which have Multi-Factor Authentication, also provide "recovery codes". They are, in effect, one-time override passwords. A group of random characters which will bypass any security. Each can only be used once, and then is immediately revoked.

I was clever. I hand-wrote the codes on a piece of paper (so they can't be recovered from my printer's memory!) and stored them in a fire-proof safe, secured with a key hidden under the cat's litter-box.

Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated. Along with the cat's litter-box. The cat is fine.

I know… I know… I should have kept them in a lock-box in my local bank. The only problem is, virtually no banks offer safe deposit boxes in the UK. The one that does charges £240 per year. A small price to pay, for some, to avoid irreversible loss. But it adds up to a significant ongoing cost.

But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box.

The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork.

Oh.

Friendly Neighbourhood Storage

Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?

There are a few problems with that.

1. Every time I sign up to a new service, I would need to add it to the USB stick. How many times can I pop round with a fresh stick before it becomes an imposition?
2. What if my friend (or their kid) accidentally wipes the drive?
3. If a freak lightning storms hits both our houses at the same time, I still lose everything.
4. Even if I did all that, I would have to give the USB stick a strong password to make sure my friend didn't betray me. So I either need to remember that, or I'm stuck in the password-manager-paradox.

Perhaps I could split the USB sticks between multiple friends using Shamir's Secret Sharing? That solves some problems - mostly the accidental losses and remembering a strong password - but creates even more issues. Now I have to do a lot more admin and worry about all my friends conspiring against me!

Phone Home

One of the weakest forms of identity is the humble phone number. Several of my accounts use my mobile number to text me authorisation codes. SMS isn't the most secure way to deliver passwords - it can be intercepted or the SIM can be swapped to one controlled by an attacker. But, if I can get my phone number back, I stand a chance of getting in to my email and perhaps some other services.

That's a weakness in my security posture. But one I may need to take advantage of.

The only question is - how do I prove to the staff at my local phone shop that I am the rightful owner of a SIM card which is now little more than soot? Perhaps I can just rock up and say "Don't you know who I am?!?!"

I know, I'll show them my passport!

Oh.

Bootstrapping of trust

I am lucky. I have a nice middle-class life and know lots of professionals - doctors, lawyers, teachers - who I hope would be happy to vouch for me. I could use one of my friends to confirm my identity for a replacement passport. Once I have a passport, I should be able to get a SIM card with my phone number. And, I hope, some online services.

I would, however, need to use a credit or debit card to apply for a replacement passport. But all of my cards are melted to slag - and I can't prove to the bank that I am who I say I am because I don't know my account number, password, or mother's maiden name.

You see, I was "clever" and took some idiot's advice about setting your mother's maiden name to being a random string of characters. Those details are, of course, stored in my inaccessible password manager!

Hopefully one of my friends will be prepared to lend me the £75.50 to get a new passport.

I'll just call up one of my friends. Hmmm… now, where did I store their phone number?

Oh.

Starting over

Again, I'm lucky. I live relatively close to some friends and family. And I'm confident that they'd be gracious enough to pay an emergency cab fare if I started hammering on their door at silly o'clock in the morning.

With their help, I think I could probably call up enough insurance companies to figure out which one covered the property. I would hope the insurance company would have some way of validating with the emergency services that the house is, indeed, a smoking crater. I don't know if that would get me emergency cash, or if I'd have to rely on friends until I get access to my bank account.

I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home?

I don't know whether my insurance policy covers me for access to digital files. Even if it did, I'm not sure how they can force a company like - say - Google to give me access to my account. It isn't like Google went through a KYC (Know Your Customer) process when I signed up.

Code Is Law

This is where we reach the limits of the "Code Is Law" movement.

In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.

But when things are secured by an unassailable algorithm - I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn't have access to my passwords. There is no-one to convince. Code is law.

Of course, if I can wangle my way past security, an evil-doer could also do so.

So which is the bigger risk:

• An impersonator who convinces a service provider that they are me?
• A malicious insider who works for a service provider?
• Me permanently losing access to all of my identifiers?

I don't know the answer to that. If you have a strong opinion, please let me know in the comment section.

In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal

I want to use emoji in my passwords. They're easy to type on a mobile keyboard, easy to remember, and a lot more fun than boring ASCII characters.

Let's go with ✅🐎🔋📎

(As close as possible to Correct Horse Battery Staple)

I use BitWarden as my password manager. It saves emoji passwords into its database, but has trouble displaying them:

Android

Browser Plugin

Linux App

Bug Report

I've raised this (minor) bug on GitHub. I wonder which other password managers also struggle with the more "exotic" parts of Unicode?

I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts.

Arse.

I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet providers, Club Penguin etc. I now have 40 different TOTP tokens.

So, about 4% of my accounts have 2FA security.

I don't know if that's good or not. It feels like it ought to be more, but I'm not sure if I want the administrative burden. Even with a password manager and OTP manager, it's a headache.

I do have a Yubikey (which I hate) but so few services support it. And, frankly, it's pain trying to find it and shove it in a USB socket.

A few services, like Steam, use their own special 2FA app. And some only offer 2FA via email or SMS. Yeuch! Google has a fancy set of push notifications on Android - but that only works with Google accounts.

Is this a problem?

Any of my accounts which handle payments are tied to my credit cards or PayPal - so I don't care too much if someone cracks my password to Pizza Planet; there's limited damage they can do.

But there has to be a better solution. Things like WebAuthN look interesting - but I worry that they're too complicated for mere mortals to understand. And I'm worried about how fragile it is to have all your credentials tied up on one physical token. And I'm worried that credentials are tied to your browser.

So what's the solution?

I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time you log in somewhere secure.

This week, I've moved all my 2FA tokens from Authy, to the open source andOTP app. It was mostly painless exporting the Authy keys - but took a while to manually check each one. Do I really need this many 2FA tokens?

It's good that my webhost uses 2FA - but annoying that they have two separate ones for my account and my control panel.

I've got a bunch of Gmail accounts - it is frustrating scrolling through remembering which G-icon goes with which G-service.

There's a few different Microsoft ones because I'm not sure of the collateral damage if I try to link my Xbox, Skype, and Outlook accounts.

And the usual smattering of hardly-used services which offered 2FA, so I set it up.

Oh, and a few services which don't use standard TOTP - and insist on using their own app or hardware token.

Is This Secure?

I don't know any more.

In security, we usually talk about the benefits of having your security split between something you know (a password) and something you have (a token). But I've effectively combined them. My phone stores passwords and tokens. If someone steals it and can break through my biometrics & PINs - they've got the keys to my kingdom.

If a crappy service has leaked a passwords, which I've reused elsewhere, then this 2FA set-up provides extra security. But fewer than 5% of my online accounts support 2FA - so that's a minor benefit.

The Alternative?

I tried using a YubiKey - and I just couldn't get on with it. The software was too flaky, hardly any services support it, and my keyring is rarely to hand.

So I'd have to keep an easy-to-lose physical token - as well as a phone for every service which doesn't support it.

Text For Details

As well as the codes in my app, I have a bunch of services which will only use insecure SMS for 2FA:

• LinkedIn
• PayPal
• American Express

Quite why these services are stuck in the dark-ages is beyond me. Possibly they just want my phone number for marketing purposes?

What's Next?

The username / password / token pattern is becoming increasingly unsustainable for me. Having a multitude of security apps is marginally more convenient than carrying around a big bunch of keys. But it is frustrating find the right app, searching through for the right icon, typing things in before the timer expires, and proving my identity multiple times daily.

I could turn off 2FA and re-use the same username/password everywhere. That would be a hell of a lot easier for me. But I don't want to reduce my security that much!

I could sign in to everything using Facebook. But even if that weren't ethically dubious, not every service supports that.

Both Google and Authy have a useful service whereby they send a push notification to your phone and ask you to confirm your login. Cool, and easy to use. But, again, limited support and the same risk of my phone being the single point of failure.

What's the alternative? If you know - please leave me a message in the comments.

I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷‍♂️.

I scanned through the list and deleted old bank details, failed social networks, and obvious duplicates.

I'm left with seven-hundred and ninety-five different login details!

How has it got this bad?

Partly it is my fault. I seem to have three different passwords for PlayStation. I'm not sure which is the main one, and I'm too afraid to delete the others in case they are important.

Some is the fault of companies which insist on separate logins for their website account, discussion forum, and help centre.

I've been online since the 1990s and have accounts all over the place. I have no easy way of knowing which of my accounts still work.

Is this actually a problem?

I don't trust centralised logins. If everywhere offered, say, Twitter logins - then I've put all my eggs in one basket. If the login provider breaks, or goes out of business, or blocks me - then I've lost access to everything!

It also means that one provider can't track me around the net. I don't want Facebook knowing every time I log on to my electricity provider's site.

But... It puts the onus on me to be responsible. There are risks associated with password managers - but I doubt I could remember eighty complex passwords, let alone eight-hundred.

(I know some people recommend a password algorithm like pass1234-fb for Facebook and pass1234-tw for Twitter - but this doesn't scale when sites ask you to update your passwords, or have different complexity requirements.)

Can this be fixed?

I don't know which companies have merged or vanished. It's tedious going through every account testing whether my login works.

My friends in WICG have a solution for this. A new "well-known" resource called "change-password".

Basically, websites should have a page called /.well-known/change-password. If you visit twitter.com/.well-known/change-password, you'll be taken to a password change page.

A password manager can use that to test whether my password can be changed - that might tell me if a service is still live. But given that the proposal doesn't yet have wide support, there will be lots of false negatives.

So I am left with two options:

1. Accept the clutter. Live with the pain of searching through nearly a thousand passwords every time I want to log in somewhere.
2. Spend a few weekends deleting the accumulated crud of a few decades.

Does this password spark joy?

Forget that noise! I started looking for a new password manager and, on the recommendation of several friends, started using BitWarden.

Pros

• Open Source!
• Works in the browser - tried in Firefox and Chrome. Fast, and easy to use.
• Linux app - handy, but a little clunky to use. Bonus CLI tool available
• Android app - great at autofilling apps. Can unlock using fingerprint.
• Password sharing - I haven't tried this yet, but useful if you and your family share a common password for things like Netflix.
• Can be self-hosted if you want.

Cons

• Importing old passwords from LastPass was a little tricky - but that's because LastPass makes it deliberately hard.
• The Android app can be a little slow to start. Not much worse than LastPass, but a little annoying.
• If you want YubiKey support, you need to buy the premium version. It's $10/year - that's much cheaper than LastPass's $24/year.

Verdict?

Go for it! Incredibly easy to use, cheaper than LastPass if you want premium features, and works everywhere.

Convenience seems to take priority most of the time. This forces companies to get their customers to risk their own security.

In this example, we see Verizon Wireless asking their customers to type their passwords into Twitter for everyone to see!

This is dangerous. It is likely that many of their customers recycle their passwords. Does the average customer know that their "billing" password is different from their account password?

Is it safe for people to post their phone numbers in public like that?

All a scammer has to do is ring the number, say "Hello Mrs Example, I'm calling from Verizon about your billing problem - let me take you through security..."

Some companies ask for the information via Direct Message. This is also problematic.

This trains customers to input their password into a 3rd party site. That's a security risk - the password is now shared with Twitter.

If the company's Twitter account is ever broken into, all those passwords are available in the DM history.

There is also the risk that users will accidentally paste their details for the world to see.

I know what you're thinking - surely no one is actually dumb enough to type their password into Twitter?

*sigh*

But what else do we expect? Customers are trained to phish themselves in the name of convenience.

These basic security security practices should be obvious - but they clearly aren't. Companies which ask you to breach your own security are dangerous and should be avoided.

sigh Annoying but probably necessary.

The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing it incorrectly.

It took a few tries, but I finally figured out what was going wrong. When I'd set up the account, LastPass had generated a secure 32 character password. But the "old password" field had artificially restricted passwords to a maximum of 20 characters.

Well, that's easy enough to change! Crack open Firefox's Inspect Element tool, change the maxlength value, and submit again.

What utter cockwombles.

Can you see any mention of a maximum length in the password rules? Minimum, sure, but no max.

Naturally, this 20 character restriction isn't enforced on the login page.

Take a bow, "Willis Towers Watson", your web developers are actively making the world a worse place. I'd ring you up to complain, but naturally you're closed on a Sunday.

We're all changing our passwords in the light of Heartbleed, right? Good!

If you are a developer or designer, I want to explain to you exactly how not to create a password dialogue box for your users.

We're all used to seeing this:

Input password: Change Password

This is incorrect! Why? Because it leads to this?

Input password: Change Password ERROR! Your password must be longer than 7 characters!

Ok! Ok! I'll enter in a longer password.

Input password: Change Password ERROR! Your password must be between 8 - 16 characters!

Grrrrrr.... ok.... how about this?

Input password: Change Password ERROR! Your password must contain at least 1 number and special character.

I will cut you...

Input password: Change Password ERROR! Allowed special characters are "!$%^&*".

Oh.... FFS.... Will this do?

Input password: Change Password ERROR! I just don't like you!

GAAAAH!!!!

If you are writing a form which asks a user to enter a new password, please follow these simple guidelines:

• State your site's password requirements ON THE FRICKIN' FORM! Seriously, if you only do one thing, make it that!
• Don't let a user submit a password which doesn't meet your requirements. Use JavaScript to disable the button and highlight the text of your password policy.
• Don't impose an artificially short password length. If a user really wants a 64 or 128 or 1024 length password, let them.
• If you have to restrict the length, use maxlength in the input field.
• Do you really need to insist on special characters, upper and lower case, Roman Numerals, and Unicode emoticons? If the user really wants to be insecure, let them. If you need security - insist on using 2FA rather than complex passwords.
• How will the user know what your password requirements are? Are they hidden on a help page somewhere, or only on a pop-up after they've hit enter? Make sure they're on the page - preferably directly above the password field.

As I go through all my passwords, it's infuriating how many sites expect the user to magically know the site's Byzantine security requirements.

Remember, if you make your password field too complex, users will get frustrated and reject it.

I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar.

But, in thinking about how a spammer could infiltrate one's timeline, I think I came up with a fairly bullet-proof method to spam Twitter users.

I present this as an exercise in devious thinking - and also to show how our assumptions about security can play against us. Remember, hacking and impersonation are likely to be illegal in your jurisdiction.  This information is designed to help you understand how security weaknesses can occur.

Being Evil

Imagine you are a nasty, evil Twitter spammer. Your own mother wouldn't spit on you if you were on fire - that's how mean you are. Here's what you do.

1. Obtain a user's password.  Admittedly, this is the hardest part of the process. You might use a dictionary attack, use the same password they use to log in to another site, or somehow steal it.
2. Log on to Twitter.
3. Go to "Connections" and see which services they have connected to using OAuth.  For the purposes of this experiment, let's assume they use Example.com.
4. Go to Example.com and OAuth yourself with Twitter using your mark's credentials.
5. Here's where the ordinary spammer falls down.  The ordinary spammer will start sending out messages from the mark's account.  That's not the aim of this weakness.
6. From the mark's account, through Example.com, make your victim follow one of your spam accounts.  An account which exists solely to show adverts to your victim.

Your victim now sees your adverts for pills, poker and porn in their timeline.  With any luck, they'll just assume that one of their true friends is promoting your illicit wares.

Counter Attack

Most victims will assume that they accidentally followed your spam account - or that one of their friends has been hacked.

Worst case scenario, they unfollow your spam account.

So you just make them follow you again! Remember, you are still OAuth'd to Example.com. You can make them follow as many of your spam accounts as you think you can get away with.

At this point, the intelligent victim will think that their account may be compromised and change their password.

It doesn't matter! Because you have used OAuth, password changes don't affect you.  You can continue make them follow as many of your spam accounts as you think you can get away with.

At this point, the really intelligent victim will go through their OAuth connections to look for something suspicious.  They won't find it.  Remember steps 3 and 4?  You are OAuth'd to a service that your victim trusts.

Because of the way Twitter displays OAuth information, there's no way for a victim to know when a service was last authorised.

There is no information other than the first time the OAuth was set up.  No last accessed date, no IP addresses, nothing useful.

When following an account, the victim gets no notification of what has happened, when it has happened or how it has happened.  There is no way of them knowing which of their OAuth'd connections have been compromised, nor when it happened.

Their only safe option is to revoke every single OAuth connection.  Then reauthorise.  A time consuming and annoying prospect.

Conclusion

I hope I've demonstrated two things.

Firstly, there's more to spam then just sending out messages.  Forcing someone to read a message is just as annoying.

Secondly, our understanding of security and usability haven't quite caught up with the new tools which are available to us.  OAuth is still better than giving your password to an untrusted site - but without essential usability changes, a compromised account is a lot more dangerous than the user would suspect.

This "attack" still relies on a victim having their original password compromised.  That's not a trivial matter.  But security is like sexual health - it only takes one little accident...