With No Notice, Twitter Adds More Limits – Password Trouble Ensues

by Jesse Stay — published on July 17th, 2009

Hi - you seem to be new here. If you like what you see, please give back by subscribing to my RSS feed!

twitter fail whale Twitter is up to their old antics of adding limits again, changing the API, and not telling developers as they do so. This morning Twitter released into production new limits around their verify_credentials() method in the API, only allowing users to verify their usernames and passwords through Twitter applications 15 times per hour. The problem is they didn’t tell any of the developers.

Sure enough, searching Twitter (the issues are intermittent), users are having password issues across the Twittersphere, wondering what is going on. It even affected my service, SocialToo, as we were using that method as a backup to verify users were indeed authenticated (and hence enabling us to notify them if they forgot to change their password with us). I e-mailed Twitter, and while very respectful as always, they seemed surprised at the issues we were having. When I asked if it had been announced anywhere they responded, “It wasn’t, no, because [we] assumed (apparently incorrectly) that people were only using this method occasionally.” There has still been no announcement by Twitter on the new limits.

Apparently, on June 29th, new text was added to the Developer API Wiki stating (regarding the verify_credentials() method in the API), “Because this method can be a vector for a brute force dictionary attack to determine a user’s password, it is limited to 15 requests per 60 minute period (starting from your first request).” The new limits don’t appear to have been put in place until this morning however, as that is when we noticed it at SocialToo.

So if you’re using the verify_credentials() method in your app, you may want to consider finding some other way to be sure your users are verified – I’m happy to announce it here. It now only takes a few runs by only a few apps to hit that limit for each user, and then users are stuck in the water until the next hour is up until apps begin to adapt to these new limits. That is why we’re seeing the issues across all of Twitter. According to Twitter, the best way is to look for a 401 response code returned in your API calls, as unauthenticated users will return as such when using the API. Twitter only suggests using verify_credentials() for new users. My conversation with Twitter ended with the suggestion from them, “Migrating to OAuth avoids the risk of a user changing her password, FWIW.”

FWIW, OAuth is still in beta and not yet suggested for use in Production. In their exact words, “For us, ‘beta’ really means ‘still in testing, not suitable for production use’.” In other words, use the Twitter API at your own risk.

You can follow the password problems as they happen in real-time on FriendFeed below:

Posted on Friday, July 17th, 2009 at 2:52 pm. Filed under Technology, Twitter, social. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Marcy

Thanks for writing about it! They should really start having communication lines, Twitter and their developers. Not everything that seems obvious to them is the same way for everyone.
Jeremy Merrill

Jesse, if I'm reading the revision tracker correctly, the new text was added to the API wiki page just two days ago. June 29th was the date of the previous revision of that page. See http://bit.ly/15z2MW Interestingly, the June 29th revision changed "API rate limited" from "true" to "false".
Jesse Stay

Jeremy you may be right. I probably read that wrong. That makes it even
worse, IMO.
Belinda

Twitter clients need to start realizing they are a dime a dozen and not a real business. Relying on twitter as your business model is just plain dumb. So blame yourself.
Jesse Stay

Belinda, dumb or not I still have a business and customers relying on what I
started. It is a revenue source, so I'm stuck with it, like it or not. And
so long as Twitter provides an API they have a responsibility to respect
those that are using it, or risk losing the power of their platform
altogether. Am I (and many other developers) focusing on other platforms as
well? Yes, I'm not that dumb. However, so long as Twitter keeps making the
same mistakes I'm going to continue calling them out on it.
Mark Essel

Very interested in openid or oauth or any other generic single account login systems.
Thanks for sharing your experience Jesse
kosso

If developers are using the oAuth methods on an ad hoc basis without storing credentials, it needs to verify_credentials each session (or call, if sessions are not being set)
coldbrew

For anyone capable of subscribing to an RSS feed, there is one for the API Wiki: apiwiki.twitter.com/rss.xml

Perhaps Twitter application developers should subscribe and pay attention?

Not sure, but this appears to me as whining by small-time developers that are failing to utilize the tools and resources Twitter provides.

People may have noticed that Twitter has had some security issues? I've had little free time to spend on the 'interwebz' (I love summer in the Rockies), but I've noticed they've been in the news because of security problems. When developing applications on top of a growing and morphing start-up's API, it is probably best to figure out what that start-up is going through and how best to work with them (i.e. follow the RSS feed from their developer wiki).

[I left this same comment on RWW, but they like to censor comments (unless it is spam or self-promotion), so I am placing it here as well. So much for transparency where RWW is concerned, since I leave my email right there in the comment field if they need to contact me directly; they bitch about Twitter, but it is ok if they change commenting rules. Stay classy ReadWriteWeb.]
Jesse Stay

Boyd Brewer, I follow every change that goes through that - do you? Have
you even tried? There is absolutely no way developers can pay attention to
and know when changes to the Wiki are important to them. Twitter does have
a channel for this though - they have both a blog and a API Announcements
list for this. When these changes are going to be put in place developers
need to be made aware via these means with plenty of notice ahead of time.
It's ridiculous to think developers should track every single change to that
wiki to know what's going to change in the future.
And whining? Who's whining?
coldbrew

Complete lack of respect and misappropriation of personal info. Real classy.

This is exactly the reason to be concerned with privacy on the interwebz>>>Internet Bullies. I could always use a proxy and go anon (as I should have here) because low class individuals such as yourself can't seem to be bothered with respecting the wishes of others. Did you marry your cousin or your mother?
Jesse Stay

Wow - is that a threat? I'm starting to wonder if I should call the cops on this one (seriously - what you're doing here is bordering on stalking). I'll save the trouble and block your comments and flag the previous as spam. I call everyone by their names when they provide it, which is what you did. If you don't want your comment here I'm happy to mark it as spam, which is what I'm going to do, starting now.
Somebody

It's 15 times per hour, not per day.
Jesse Stay

Thanks - that was a typo.
Name

Yeah, it's official. istwitterbroken.com even says the site is "sort of" broken...wonder how long this'll last before they revert.
JolieODell

Thanks for tipping us about this Jesse!
Jesse Stay

Thanks for writing about it Jolie!
GR8CDNPumpkin

Titter needs to stop being so anti-developer. Communication goes a long way to fixing this perception of them.