Scores of security bods registering for security outfit RSA’s Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company’s website in what is seen something between bad practise and outright compromise.
The registration process for the February 29 event asks delegates to enter their Twitter credentials so that a prefab tweet about their attendance can be sent.
But the page asks for their direct plaintext password, and does not make use of OAUth-enabled single sign-on which is the standard means by which websites can allow Twitter logons without compromising security.
I don’t know what is worse? RSA asking for this, or potential attendees (ie security “experts”) actually filling this in!