I suggest you ...

Use oauth, not username/password

I can't / won't enter my username and password into an application like this; Google provides tools so apps don't have to ask for username/password; instead, more secure alternatives are available. You should use them; Google may break apps that work the way yours does (similar to how Twitter broke all their apps that didn't use OAuth).

61 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Tim DierksTim Dierks shared this idea  ·   ·  Admin →

    8 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • AnonymousAnonymous commented  · 

        PSO2 RMTBW2が発売されたばかりのポケモン関連ブースは大賑わい 6月23日に「 「ダンボール戦機」シリーズ最新作がレベルファイブブースに出展  7月5日に発売予定のニンテンドー3DSタイトル「 「マリオテニス オープン」512人参加のトーナメントを開催!  任天堂ブースでは,5月24日に発売された「 スクールバスが,PSPの試遊ブースに!?  SCEブースのテーマはバスストップということで,バス停を模した出展タイトルの看板が置かれ,さらに大きなスクールバスの内部が,「 バンダイナムコゲームスの3DSの「逃走中」が大人気  バンダイナムコゲームスには,ニンテンドー3DSやPSPのタイトルの試遊台が用意されたいた

        夏冬恒例,キッズ向けを中心とした最新ホビー&ゲームの祭典「次世代ワールドホビーフェア\'12 Summer」が,6月30日~7月1日に幕張メッセの9~11ホールにて開催された

        今回は取材日が日曜だったということもあって,開場となる9:00前後から親子連れを中心とした来場者たちが,会場前に長い列を作っていた

        SCEブースでもプレイできた,ガンダムAGEややイダージェネレーション2のほか,「 そのほかのブースで気になった作品をチェック KONAMIは今回,アミューズメントで稼働中の「  タイトーのブースには,アミューズメントカードゲーム「

        今回もゲームを中心としたブースや出展作品などを紹介していこう

      • Aaron U'RenAaron U'Ren commented  · 

        Brady-

        I would also like to see NoteSync use some other form of authentication besides ClientLogin.

        I'm not totally sure where you got the idea that using OAuth requires the user to have to keep logging in. If you have a refresh token you can get new access tokens whenever you need them for the lifetime of the permission granted by the user. I've used OAuth with many Google APIs before and I have never been required to run the user through re-validation.

        Furthermore, OAuth is the Google recommended way to authenticate against their services (https://developers.google.com/accounts/docs/OAuth2). In a lot of ways ClientLogin has been deprecated, and can present difficulties for developers like having to deal with CAPTCHA challenges from time to time (See Google IO presentation: ClientLogin #FAIL http://www.youtube.com/watch?v=fud6NKljgPU).

        As a side note, the Android version of this application should be using AccountManager and not either ClientLogin or OAuth, see: http://code.google.com/p/google-api-java-client/wiki/Android it is represented in the video about 40 min in.

      • Dave HilowitzDave Hilowitz commented  · 

        +1

        I also used an alternate Google account, although I would have liked not to have to.

      • Brady WhiteAdminBrady White (Founder, NoteSync) commented  · 

        @hollistera that is a great security workaround, we'll suggest this for others who are nervous about their google credentials. I'm curious if this is related to the bug you logged with us.

      • hollisterahollistera commented  · 

        Actually, what I did was to use my spare gmail account credentials and then shared the NoteSync folder from there to my real account. That way I get the gmail updates without having to share my password in an app that I cant validate the security of...

      • Tim DierksTim Dierks commented  · 

        OAuth isn't completely secure alone; of course, if you make use of https, that will prevent FireSheep from stealing tokens. And I don't believe OAuth would require repeated login; it's my understanding that Google issues long-lived OAuth tokens.

      • Brady WhiteAdminBrady White (Founder, NoteSync) commented  · 

        Tim,

        OAuth is a great solution, but definitely not completely secure. FireSheep has proven that using tokens for authentication still isn't completely safe (try it, and start tweeting as your friend when he logs in on an unsecure wifi network). ClientLogin works great for now and we aren't stealing your usernames and passwords :)

        In the future we may add oauth support, but this will inconvenience our users by making them login every few days. This is the constant usability versus security issue.

      Feedback and Knowledge Base