I just flew into Houston, TX on the red-eye from Seatac and I'm sitting in a starbucks waiting for my flight to Austin, TX so the writing my not be top of the pops but I wanted to rant a little.

---

What bought this on?

I saw a super SCARY STORY about a lame coder who built a nasty application which:

  • asked end user's of their product for their gmail (well their Google Account) credential pair - this is a penalty already
  • stored the developer's gmail credential pair in code - this is just lame coding
  • stored the credential pair in the inbox - this is unforgivable

Not only has this developer put his professional career at risk (who would hire this guy?), he also put everyone else's credential pairs at risk - super super bad.

---

What do I have to say?

As an end-user i.e. not a developer you should NOT enter your windows live id credential pair (i.e. Username: foo@live.com and Password: MyDogIsFido) into a web site which isn't http://login.live.com.

No Microsoft web site will ask you for your Live ID credentials except login.live.com (and accounts.live.com when linking accounts). Any other web site which asks you for your credentials may not be evil.com but they may either be sloppy coders (like our friend above) or could be hacked putting your credentials at risk of being shared.

image

If you are a developer wanting to try out new things (like see how some social networks have illegally implemented contact importing etc or use hack API wrappers for SkyDrive) which include putting your credentials at risk here are a few tips:

  • create a new test Live ID  / with a fake easily hack-able password
  • DO NOT LINK THAT LIVE ID TO YOUR REAL ACCOUNT - SUPER SUPER IMPORTANT
  • Have a separate secret question / answer
  • Do not put any real PII in any of the Windows Live systems which use that Live ID
  • Do not log into any REAL web sites using that Live ID as if your account is hacked the other sites could be accessed.
  • Give it an obvious name like aloganFakeHackAbleLiveID@live.com

What about Rich Clients (i.e. desktop applications) - I can't use login.live.com?

Desktop applications are a little harder to control, and in the horror story above it was actually an offending client application.

To enable client applications to call Windows Live ID protected services, we developed the Windows Live ID Client SDK space to protect users and make it easy for developers to implement Windows Live ID authentication (and fetch a token for various services).

When your application needs a user to authenticate, a specific UX is rendered. A UX that comes from the Windows Live ID Client SDK - so the developer (good or bad) never sees the credential pair.

image

Because this UX doesn't have a title bar, sure - it can be spoofed (i.e. you could fake the user experience and actually ask the end-user for their credential pair) - my thoughts are: if you already have a client app running and its evil, they basically own you... although UAC does prevent some of this.

If you aren't running on a supported platform for the Windows Live ID Client SDK there is an end point you can call - post your question to the WLID support forum.

Why don't the Microsoft shipped applications don't use the client SDK UX?

image image

Some of our applications do use the Client SDK but most don't. The reasoning behind this is because the application is clearly identifiable as a Windows Live suite program we have customized the UX on a per product basis.  ISV's on Client SDK compatible operating systems (Windows) should use the Client SDK. 

Side note about customizable UX: If you have ever installed the Zune management program you will notice they have gone too far with the customization and it doesn't actually ask you for your Windows Live ID, so as a consumer you aren't sure should I be using my Windows Live ID or some other ID - UX customization goes both ways in terms of slick experience for users, and the user recognizing out of familiarity what they should do on this screen.

---

I know this was a bit of a rant but I'm still sitting in the Starbucks so give me a break.

UPDATE: techCrunch weighed in on this 

UPDATE: check out the OpenID