This is based off a somewhat dated blog post from Jeff Atwood over at Coding Horror.

He makes the great point that as web developers, by exposing users to certain things, we have the potential to make them comfortable with things that should raise alarms. One of these is to ask for another site’s credentials.

This is incredibly bad!

And yet.. if you’re on my actual web site (not the RSS feed), check out the little green box there on the left. See that link? “Google login”? That provides a way to log into my site (or parts of it) as a Google account. I don’t do anything crazy with it, in fact it just pops up a window to their login gateway, but the certificate is not prevalent in the browser window, and really, I could have done something similar and captured the password for a replay attack if I was unscrupulous.

As developers, we should be refusing to use non-integrated, remote login API’s. I say non-integrated, because safer methods like OpenID are in fact remote login API’s (distributed credential repositories).

Even if the quick & dirty API’s to pass credentials along aren’t phased by a lack of developers using them, if it’s a rarity to ask for another site’s password, it should be jarring to the user.

A user should not feel comfortable entering another site’s credentials in your site.