RSS

Pinboard Blog

Holy War on Sites That Demand Pinboard Passwords

Over two years ago I introduced an API authentication method so people could authorize outside third-party websites to add things to their Pinboard account without sharing their Pinboard password.

Many sites switched over to use the token, but some still have not.

As of today, I'm going to start blocking outside websites that ask you for your Pinboard credentials. First to feel my wrath is Packratius, which angers me especially by asking users to provide their Pinboard password in order to duplicate a native Pinboard feature.

Do not do this

Packratius, I block you!

Next on the chopping block is IFTTT, which has set up an especially ridiculous workflow by requiring users to enter then Pinboard password, and then immediately using it to fetch an API token that they use for all subsequent calls. Their tech team has pleaded for mercy until October 24, and I have heard their pleas. But it's dumb that it is taking two years, multiple engineers, and millions of dollars in funding to begin to promise to fix this. I am itching to block them.

If you know of any other websites that ask for your Pinboard password, please let me know and I will gleefully bring the ban hammer down.

If you run a site that is asking people for their Pinboard passwords, you need to change it to ask for the API token instead. If you need time to do this, email me about your plans with a convincing display of contrition.

If there is something you are able to do with a password and unable to do with an API token, let me know and I will fix it immediately.

I have less of a problem with mobile or desktop apps that ask for Pinboard login credentials, provided those get stored locally. My beef is with sites that ask for passwords that get sent to a server somewhere. There is absolutely no need to do this this given the existence of an API token, and it needlessly puts users' accounts at risk.


Update 4:45 PM Oct 14: I just got news from IFTTT that they've changed their channel form to use the API token. Thanks very much to them for getting that done faster than promised!

—maciej on October 14, 2014



Pinboard is a bookmarking site and personal archive with an emphasis on speed over socializing.

This is the Pinboard developer blog, where I announce features and share news.




How To Reach Help

Send bug reports to bugs@pinboard.in

Talk to me on Twitter

Post to the discussion group at pinboard-dev

Or find me on IRC: #pinboard at freenode.net