Public Service Announcement: Don’t forget the applications tab of your twitter account. A lot of people have been laughing at the clueless social media expert who fired a ghostwriter and forgot to change his password. But changing a password is not enough, since once a remote client (e.g., Twitter for iPhone) has been authorized against your account, it uses its OAuth credentials and not your password to authenticate. Changing your password will not affect those applications (indeed OAuth was designed so apps could access the account without storing passwords), and the only way to revoke access is to go into the applications tab of your account settings and hit “revoke access.” Try looking at yours and you’ll be struck by a few things immediately:
- How many services you’ve forgotten that you granted read and write access to your account a long time ago (and which might be a way to access your account if they are hacked).
- OAuth is keyed to an application, but in this ghostwriter-gone-rogue case you’d really want to revoke the access of a person. How do you figure out which application they use?
- Most users have little to no idea that this tab even exists.
In conclusion, rotate your passwords in this sort of situation, but don’t forget the applications as well.
