June 4, 2008
A number of people whose opinions I greatly respect have turned me on to Yelp over the last six months or so. Yelp is a community review site, and a great way to discover cool new places in whatever neighborhood you happen to be in.
I've enjoyed using Yelp, and I wanted to participate by submitting my first review, so I created a new account there. As part of the account creation process, I was presented with this.
The idea is that I tell Yelp what email service I use, then provide my login and password information so Yelp can determine if any of my email contacts are Yelp members. How convenient!
Here's how I see that page.
I'm willing to give Yelp the benefit of the doubt here, but let's think about what it means to give out your email account and password to anyone, no matter how ostensibly trustworthy they may be:
- Number one with a bullet: your email account is a de-facto master password for your online identity. Most -- if not all -- of your online accounts are secured through your email. Remember all those "forgot password" and "forgot account" links? Guess where they ultimately resolve to? If someone controls your email account, they have nearly unlimited access to every online identity you own across every website you visit.
- If you're anything like me, your email is a treasure trove of highly sensitive financial and personal information. Consider all the email notifications you get in today's highly interconnected web world. It's like a one-stop-shop for comprehensive and systematic identity theft. How do I know Yelp isn't going to dip into other areas of my email?
- Even if I trust Yelp absolutely, how do I know they're not going to store my email password, perhaps insecurely, in a place some disgruntled programmer or hacker can eventually get to it? Giving out your password puts the recipient in the highly unfortunate position of having to secure your password. Give that email password out enough, and you're now vulnerable in dozens of places spread across the face of the web. The odds start to look pretty dire.
I'm sure Yelp means well. They just want to help me find my friends, doggone it! But the very nature of the request is incredibly
offensive; they have effectively asked for the keys to my house in order to riffle through my address book.
I don't think so.
Frankly, it's irresponsible to even ask this question. Naive internet users may not understand why it is such a profoundly bad idea to give out their email credentials to random websites. Worse, they might eventually get the idea that giving out their email credentials is typical or normal.
It's not. This is outlined quite literally in most privacy policies:
The security of your account also depends on keeping your account password confidential, and you should not share your account name or password with anyone. If you do share your account information with a third party, they will have access to your account and your personal information. -- Google Checkout
If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always choose to log out before leaving a site or service to protect access to your information from subsequent users. -- Microsoft Passport
Your Yahoo! ID and password are confidential information. A Yahoo! employee will never ask you for your password in an unsolicited phone call or email. Do not respond to any message that asks for your password. -- Yahoo
How did we end up in a world where it's even remotely acceptable to ask for someone's email credentials? What happened to all those years we spent establishing privacy policies to protect our users? What happened to the fundamental tenet of security common sense that says giving out your password, under any circumstances, is a bad idea?
I can understand the cutthroat desire to build monetizable "friend" networks by any means necessary. Even if it means encouraging your users to cough up their login credentials to competing websites. But how can I take your privacy policies seriously if you aren't willing to treat your competitors' login credentials with the very same respect that you treat your own? That's just lip service.
Email is the de-facto master password for a huge swath of your online identity. Tread carefully:
- As a software developer, you should never ask a user for their email credentials. It's unethical. It's irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
- As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.
Beyond those ethical guidelines, I do wonder why the technological solution to this problem has barely been addressed. If all Yelp wants is my address book, why can't I grant them temporary access to my public email address book without giving out the keys to my email kingdom?
If even a fraction of the coding effort that regularly goes into convincing people to cough up their email or website login credentials went into finding other, more reasonable solutions to this problem -- perhaps we could have arrived at a saner solution by now. And we can start by taking obnoxious, utterly inappropriate credential requests completely off the table.
UPDATE: Several commenters brought to light some efforts underway to address this pernicious problem:
A more general solution may be OAuth, billed as an open standard for API access delegation. In other words, a valet key for websites:
Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.
Chris Messina of the OAuth project was kind enough to provide a number of related links in the comments and a followup post on the OAuth blog as well.
I was encouraged to learn about some of the recent progress we've made on this front. If you were looking for a way to be part of the solution, instead of the problem, read up on these solutions and participate!
Posted by Jeff Atwood
I forgot to ask:
What's all this ranting and raving about the ContacT APIs? Didn't Google just release their's in March 08?
Commonsense trumps technology every time. No matter what sort of technological breakthroughs we make, dumb people (like myself, some would argue because I use Mint) are going to do dumb things.
@Baz, I think you trust people too much. Being a little paranoid makes you ask the sorts of questions that Jeff is trying to get across to you.
- Nobody gets my (g)mail password.
- Yes, I have different strong passwords for every site that I care about. (i use keepass, so it's easy)
- Yes I have different email addresses (although that's almost more pain than it's worth, more an accident of history and keeping old ones open)
- For the rest of the websites I could care less about the password is usually something along the lines of 'thiswebsiteisrubbish' so it's real easy to remember.
- Using the temporaryinbox.com (which is probably a big scam too) works for those things that force you to give an email, because I don't even like giving my email out, let alone my password. Good for a one-off looksie though.
I don't use credit cards, and I don't even like using direct debit, etc. I prefer to pay cash and not be tracked too much. It's not that I'm inherently paranoid, but keeping the s/n ratio in your favor is better.
Online identity is pretty much linked to the email addresses you use. To me, it often feels like I'm having to show my passport and drivers license and fill in a marketing survey just to walk into Starbucks, let alone buy anything. Sorry no dice. But hey, I'm glad there are people like you out there, because nobody's gonna notice me when there's an easy mark.
PS to others: avoiding spam is impossible, unless you have no friends, because there's always one person who pisses in the pool.
I blame Facebook, I believe they were one of the first to scrape your email account for contacts, and after that, every dumbass incompetent programmer with a half-baked social networking site thought it was A-OK, and their users happily complied.
Dare Obasanjo describes the right way to do this, and what Google, Microsoft and others are adopting - delegated authority - the user approves the application's request for some data (such as Contacts) without sharing any credentials with the piece of shit application that requested it.
Seriously, I hate programmers who do this kind of crap, I hope they all lose their jobs.
I agree. I NEVER use these tools for exactly that reason... even if I think you'll be a good citizen about it.
Can we just please start using openauth already? Sheesh.
Great post. I happily provided a bunch of companies with my e-mail and password information before it dawned on me that this was a very dumb move. I quickly changed by e-mail password and learned an important lesson.
And personnally, I don't like it when my friends sign up for this things and then these things start sending me email.
Seriously, stuff like this is becoming the norm and not the exception. When signing my mother up for a PayPal account, the process asked me to give it the USERNAME AND PASSWORD to her online banking account.
The Real WTF (tm) is that her online banking account has a username and password at all.
I'm guessing you're in America, where (I gather) this is (inexplicably) standard practice for online banking?
Over here (the UK - but I gather everywhere in the EU is similar), you get a customer ID number, a PIN, and a passphrase. Logging into your account at all requires you not to enter these, but to enter a randomly changing subset of them. (Eg, "enter the third digit of your PIN. enter the seventh character of your password.")
Thus, (1) the user is TRAINED to NEVER, EVER enter their full details anywhere, not even on the bank's site itself, and (2) I suppose this provides some protection against keyloggers. (The keylogger would need to record perhaps dozens of login attempts before having a record of every character, and even then it would need to also screen-scrape and parse the "third", "eleventh" parts of the corresponding form labels in order to piece it together in the right order.)
After all that, if you actually want to do anything particularly meaningful, you need to use a little USB challenge and response / one time pad type of gadget, which they provide individually to every account holder.
Banking based on a username + password is basically unforgivable full-stop, never mind third party services asking for the username + password.
I've used the contacts import from Facebook, but like a couple of other people here I changed my password before and after the process.
The difficulty is that it's so damn convenient to be able to give this one little bit of information and have all the people you know added in one hit.
It's a problem that really should be addressed. If there's a contacts API available that does the job without compromising security (and it appears there is) then that's perfect - but why isn't it being used?
openID and Dataportability ( http://dataportability.org )
give the 'export CSV' a button and a catchy name for gmail and M$oft + Y! to show prominently.
As [ICR] pointed out, the OpenSocial framework, as of version 0.8, includes a RESTful API that can be used to fetch friends directly. It's still not quite the portability that Chris Messina and the chi.mp folks are talking about, but it's a step in the right direction.
Sadly, this "get your password and screen scrape" is the current state of the art. It sucks.
When I encounter this type of thing and I would like it to scan my address book, I temporarily change my email password to something else... Register with the site... and then change it back to what it was originally. So even if someone tried to use the password given to (Yelp in this case) it would not be the current one to access my email.
Simple. (A hassle, but simple enough to work around.)
I agree - these types of scenaros make me feel very uncomfortable.
Perhaps a useful way forwards would be standard e-mail provider API that could be queried to provide the information needed without giving any other credentials to the brokering website.
Although at first thought this would still requiring asking for some level of credentials from the user...
Facebook does the same thing. I refused.
Right, and once we remove the *stupid* option from the table (hey, I know, we'll just ask the user for their master password!), we're actually encouraged to find a better solution to the problem.
- alternate lower-permission credentials
- making parts of your email identity completely public
- temporary time limited credentials
- "passes" or "keys" you can give out / grant
I'd be royally pissed if I ran into something like this. Then again, I've decided to ignore any attempts by social networking sites to enroll me to their ranks of page ad revenue cattle.
I agree 100%. It is a terrible practice.
I don't know if you're aware of this, but your "number one with a bullet" has a number one, but not a bullet.
If you'll just let me have your email password I'll show you how to add a bullet to it as well.
Trying to sign up for twitter these days gives you the same stupid thing. Real turn-off.
I'm not sure it would be too practical for MS to give user-friendly URLs for every API in the MSDN library. They do have quite a bit more to index there than Google or Yahoo.
@Derek, the changing your password deal will work to an extent, assuming it's sites that you trust in the first place. The problem is that the whole thing encourages people to trust websites with their email accounts. If you trust the wrong site they can automatically go in and change your password, date of birth, zip code, security question, etc. so that you're locked out of your own account before you have a chance to change it back yourself. Then they have free reign to whatever is saved in your email, whatever services you used that email to sign up for, and to spam all of your friends from your account. And if you're using a free email account like Yahoo the chances of you recovering it are slim.
Even if they don't lock you out, they're still likely to have plenty of time to scrape a lot of data from your saved emails before you can change it again.
Personally I would never give any site access to my address book anyway, password or no password, for the simple fact that I respect the privacy of the people in my address book. If I want to know if my friends are on a particular service, I'll ask them.
Simon, can you provide links to those Google / MSFT / Yahoo address book APIs?
I am frequently getting spam indirectly from people that have my emailadres and signed up for some stupid website which asks for acces to their address book. The website collects all the emailadresses and sens emails to all of them with content like:
"Hi, your friend : email@example.com signed up to win a super extreme fantastic 100000" inch HD television. He invites you to click HERE to join the competition"
Ofcourse the people didn't invite me, but just missed a superhidden opt-out option that allows this, when registering for those sites.
Really really frustrating stuff.
Flickr (a Yahoo property) was recently able to access my Gmail address book, presumably through the aforementioned APIs. Flickr sent me to a Google page, where I clicked a button to authorize one-time access, and Google sent me back to Flickr.
Jeff, Google is a helpful tool ;)
Anyways, hear hear! Yelp, Facebook etc etc should be ashamed for being so lazy in using OAuth to protect the privacy of their users.
The OAuth movement is very much needed:
not to mention, mayhaps your friends don't want their contact information given out just because you want to be a member :-/
Seeing that would make me queasy. I was unnerved when Feedburner wanted to integrate with my Google Accounts--Google even owns Feedburner, this I know, but still...
CAPTCHAs are an anti-pattern now too. Did you miss the memo?
They are only acceptable if they contribute to some "greater good" type of project.
BTW LinkedIn does this email thing as well, and I think they automatically parse your Outlook addresses if you use IE (or at least they used to).
Most of the services need the credentials for accessing the address book.
It is time for sombody to develop a central address book that can be accessed seperately.
FriendFeed has already figured this out with their remote key feature, which allows 3rd party software access using a completely separate key. It would be nice to see this kind of feature in Gmail, Yahoo! Mail, and MSN/Live/Hotmail/whatever-the-hell-it-is-now-I-lost-track.
I really dislike that the social sites and applications are using brute force shotgun spam recruitment techniques, and effectively spoofing their spam by having you willingly 'certify' it.
It's evil on evil.
Couldn't agree more. I did this once, but only after I changed my password then changed it back 20 seconds later.
I find it interesting that you seem to keep the same hours I do (I'm also from california). Is your wife really OK with you blogging from 3-5AM?
Anyway, this is not a new FAIL by any means. I've seen similar forms on Facebook and LinkedIn, maybe a year ago, and I had the same reaction.
To be fair, though, you're also trusting Yahoo! or Hotmail or AOL or Gmail with your single point of failure. And if you use Thunderbird or Outlook or some other desktop e-mail client, you're also trusting it. And you're trusting Microsoft or Apple or some random *nix vendor. You're trusting a lot of people with your secrets already, and it's rather unavoidable.
Here's what I do. I never sign up for something with my personal e-mail address. I have some accounts on the side with completely unguessable names. A nice extra benefit of this is that none of the spam, "solicited" or otherwise, gets to my personal account.
I agree with all you said Jeff. I would add one more thing. Not all my contacts are personal friends. Many of them are business associates, clients, and vendors. There are even a few that I'm not all that fond of.
I would rather not get them involved. Especially if the end result is an email that invites them to join because their good buddy Bill has seen the light and offered their names and email. It's unprofessional.
Isn't it firstly a breach of the license agreement you accepted when you created your email account on those sites to give your password to a third party?
Secondly isn't Yelp breaching the license agreement for the API's they are using by asking other users to break their contracts and give away their passwords?
This has to be the sort misuse EULA's are supposed to ban.
I think it's becoming a de-facto standard (read un-stoppable 'evil') that any website who wants to drive the hassle away from the users and quickly gain access to potential users.
There should be a central service something like 'Contact Service' which stores your contacts for you and can import them from hotmail, yahoo, gmail etc or alternatively you can mark any contacts in hotmail, yahoo, gmail etc as 'shared' which are then available in this service which is accessible to all third-parties using your credentials.
Jeff, do you usually use the same password, or use a different one on each site? Because if you gave Yelp your email address upon registration, and used the same password on your account, you've effectively given them your email address and password without thinking about it.
I doubt that you would be so insecure as to use the same password for everything, but a majority of people do.
Secondly isn't Yelp breaching the license agreement for the API's
they are using by asking other users to break their contracts and
give away their passwords?
Or they're just screen-scraping. There weren't even APIs for this thing a year ago.
Even if there is a better way of providing address book information I'd hesitate to do so. How do I know they aren't building a spam list?
The online manager game www.hattrick.org was faced with this issue some time ago. The game has many supporting 3rd party applications which depend on access to game details.
To deal with this, the game introduced the "security code" feature. This is basically a second password, designed for this purpose, granting more restricted access. Although this isn't a magical catch all solution, I do think it might represent a possible approach for dealing with it.
If I ever come across a screen like that, I exit out. I don't trust any site with that kind of information!
It infuriates me that I requested a lost password through 1and1.co.uk this week and they sent my old password to me, in plain text. I knew that I'd used it elsewhere, so I immediately went and changed a bulk load of passwords. If I - an amateur PHP developer - can include salting in my scripts, why can't the big guns?
I only give my password and bank account info to Nigerian royalty who ask for it.
"EPIC FAIL"? That's an understatement. It sets off every single security alarm bell I have. Just asked my mom whether she'd put her password in there and even she, being as computer-illiterate as mothers always seem to be, said she'd never even consider it. I guess I trained her well :)
Seriously, stuff like this is becoming the norm and not the exception. When signing my mother up for a PayPal account, the process asked me to give it the USERNAME AND PASSWORD to her online banking account.
I'm going to trust a site with more holes than swiss cheese to log into her bank account to verify she has a bank account? Worse still, I'm going to TRUST that PayPal is going to get rid of that login information when they are done?
Giving your username and password out, BTW, is strictly verboten by her bank, my bank, your bank, and every other bank. I am not a lawyer, but I'm sure there's some kind of protection that I forfeit by giving out this information to PayPal.
I've got brass ones, but mine aren't THAT heavy.
I couldn't agree more with this post. Unfortunately, I think this has become so pervasive it's close to being acceptable. Facebook does it. Meebo does it. And all 3rd party IM tools do it (albeit most of those run from your desktop but still...)
I am with you 100% Jeff. But unfortunately we lost this battle. Sites are already using this practice like crazy. If fact, I would say you have to if you want to compete. Technical people may understand the horror of the situation, but the masses apparently do not.
Brinkster.com asks you for your username and password anytime you work with tech support to make any significant changes to your hosting plan (such as adding a new domain name). It's really, really annoying, but that's how they roll.
Making the address book public, at least temperarily would be a terrific way to go, but there seems to be a battle these days by each company to keep your data. I wouldn't hold your breath on this changing until some kind of class action lawsuit or something of that ilk comes through that forces companies to share YOUR information.
We're thankfully moving away with this sort of thing with various open social network platforms which mean you can use a common social network API to get people hooked up with their friends quickly rather than their email contact book. Think OpenID, but with contacts.
There still not quite there yet though, and it's worrying the damage may already start to have been done with respects to teaching users its okay to hand out your password though.
I agree that this is a poor way of retrieving friend lists. A nice way to get around this is to keep a dummy e-mail with only your contacts in it. Then give the password for that account. However, that may be too much effort for a one time import.
I simply have one email account for communicating with friends/family and a different one where all the "sensitive" information gets delivered. Although it makes me queasy to do this, I think I have done it once (on LinkedIn). Past that point, I guess I have refrained from giving away my (insecure) password even though I don't have much to lose.
From the viewpoint of Yelp or LinkedIn or orkut, all they are trying to do is save you some time - which in and of itself is a noble cause. Is there a way for a platform like, say, OpenID to enable this functionality without compromising the security of your email account?
But all those email service icons make it look soooo real!
I think these sites should at least give me the option to supply an address book file that contains all of my contacts. That's all they really want anyway, right? I know this would probably be more than a lot of people would want or possibly be able to do, but for users like ourselves, I think this option would be a nice compromise.
Yelp asks for your Gmail password explicitly (and lets you skip the step), but nearly all online logins just ask for an email address (as a user ID) and a password. How many people do you think use a different password for those logins than that of their email?
I'm sure most readers of this blog use a different password when creating online logins, but my guess is the average user doesn't. Compared to this, the Yelp problem seems like a drop in the bucket.
Uh, no friggin' way.
Even if a site is well-meaning, sensitive databases are stolen somewhat regularly.
We should be teaching small children: "Never share your email address and password with anyone" along with "Never talk to strangers"
I don't know what to make of facebook. Early on I could type in email addresses and find friends that way. Since it was .edu addresses at that point. At the end of each academic year I backed up my address books and stored them on CDs. Later on when I wanted to see if someone was one facebook I would rifle through the ldifs and find their school address. Kept me in contact with a lot of old friends.
Now they've taken the basic email search away and replaced it with "give me access to your email accounts". 1) I feel really uncomfortable about this. 2) I think it's ridiculous they reduced the functionality in the first place.
I feel I should point out some of the work Angus Logan ( http://blogs.msdn.com/angus_logan/ ) has been doing in the way of creating awareness about the Windows Live Contacts API and really pushing for organisations to start adopting it.
This particular issue is one that really really frustrates me about far too many sites - these APIs (WL/Goog/Y!) are seriously easy to use, and increases the user's security immensely.
(To be clear, I'm not affiliated with MS or Angus in anyway - I just read his blog)
Thank you for posting this. Another problem with this is that it desensitizes people to giving out their password. Even if Yelp is reputable, it makes the practice seem legit, and people let their guard down making them easier targets for phishing.
I was asked to code this for a website a few months ago, and I refused. At the time, my clients didn't understand why it was such a big deal to collect email passwords from our users (or give out their own email passwords to anyone that asked).
Thank you - your article will provide even more weight to my arguments against this practise.
What I find much more disturbing is the conclusion - good, experienced developers know that it's NEVER ok to ask for your password like this, so in turn, that means that whoever worked on that idea in Yelp is unexperienced and clueless. Exactly the kind of people you would trust LAST with security (which is a really tricky thing).
While asking for email passwords is definitely a failure on the part of websites like Yelp, I wonder if Google, MSN, Yahoo, and other email providers are being clear enough when they warn people:
"and you should not share your account name or password with anyone."
"If you are sharing a computer with anyone you should always choose to log out before leaving a site or service to protect access to your information from subsequent users."
People are already used to typing email addresses into web forms (the point of an email address is to give it to others), and every site you go to asks you to enter a password to create an account. And for people who use the same password for everything, they may not even realize the difference.
There will continue to be untrustworthy websites who ask for this information. We need to discourage the type of behavior from trustworthy sites, but we really need to limit the need to enter private information, such as passwords, on a regular basis. Of course, that creates challenges with authentication. Maybe OpenID can help with this.
@Tim, it is in "Gmail, Yahoo! Mail, and MSN/Live/Hotmail/whatever-the-hell-it-is-now-I-lost-track"
They (the big guys) all have contact API's, you just have to read some of the comments or become informed before coming to your conclusion.
I'm amazed Jeff wasn't aware of all th efforts being made in this area. Great discussion otherwise. I guess I didn't realize how many people aren't aware...OpenID, OAUTH, and Data Portability are pushing almost all large sites to adopt similar methods. Too bad they are choosing slightly different methods.
Even facebook has 'facebook connect'
and myspace has 'data availability'
(do a google search)
Nobody in OpenID (seems to have the most penetration; maybe Vidoop will do it?) is offering granular data access configuration abilities, this is sorely missing. Credentica. recently acquired by M$ has the best solution, IMO.
I had a website up for a while, and to sign up, I had a form that asked for email address, email password, credit card number, ATM passcode, Swiss bank account number, birth date, blood type, social security number, retinal scan, and then on the bottom had a check box that said "I agree with the terms of service for this site even though it might result in involuntary servitude."
Of course, the form was a joke, in fact, you couldn't even enter most of this information or click on the check box. But, I always wonder how many people would have filled in this form just because I asked.
Amen, and thanks, Jeff. Huge red flags should go up anytime you're asked for this type of info. LinkedIn was the first place I remember seeing this. In this privacy-conscious (yeah, right) world, if you insist on giving some unknown bunch of knuckleheads a list of everyone you email, an exported address book should not be too onerous to use.
(Only Google should have our email and passwords. And search history. And chats. And shopping history. And credit card info. And documents. And contact lists. And stock portfolios. And spreadsheets. And calendars. And notes and photos and videos. And cellular and GPS track data. And medical history. I mean, we can trust them, right? /sarcasm)
I'm actually more surprised by the first two form fields. Isn't it redundant (not to mention lazy) to ask for your email provider, and then also ask for your e-mail address?
If I tell you my email address is firstname.lastname@example.org (which its not), the website should be smart enough to see @gmail.com, and think... oh, he's using Gmail! Same with yahoo, etc. Its not difficult and I'm really thinking that this, along with your original problem of asking for login details is just stupid ignorance.
Which is incredibly dangerous if you're going to be handling email passwords.
No thanks, I'll pass!
Yeah, I would never have the bad manners either to spam my friends with unsolicited offers. I actually like Yelp - it was helpful when I moved recently. In general, however, I *loathe* "social networking". I'm not twelve years old. I go there to read and write a couple reviews - not to hook up.
A web game I played for a very long time had for like four years "You agree to sell your first born son into slavery for no less than USD $100" in their registration form. Tens of thousands of users didn't seem to mind, in fact, it was only brought up on the forums like two years after it was added.
Yelp are unfortunately not the only ones who come up with that nonsense. Linkedin also allows you to import your stuff from GMail.
I wonder if companies like Yahoo or Google have a legal approach that would allow them to force such sites to drop that nonsense as it violates their TOU or something, but then again, they might believe that it might be better for their business if their customer can just conveniently bring their data into the site. I think that they may fear "Oh no, our customers will think 'why can I import from Google but not from Yahoo? Is GMail better than Yahoo Mail?'" or whatever.
What makes me wonder: This problem is not new, so why did the smart guys at Yahoo or Google (who usually always have 5 different solutions to every problem) not offer some sort of "external" API yet? as in "Here is a second password that only allows access to the adress book for sites like this"?
It is truly insane for a web site claiming to be legitimate to ask for such a password. Are they kidding? How did this survive even 30 seconds of thought or discussion in product management or development at Yelp.
"I know, we'll have this cool feature where we find others in Yelp based on their GMail contacts."
"How will we know their contacts?"
"We'll just get their password and log in as them, no problem."
(What happened next)
"Great idea. Let's do it."
(What should have happened)
"That is the dumbest thing anyone has ever suggested. That is so dangerous and stupid we should probably fire you on the spot for even imagining that could fly. We will absolutely never want to get someone's password for another account of theirs. End of discussion."
why point out yelp when you can flip the finger at facebook. they do the exact same thing. come to think about it, probably 80% of "social networking" sites do it.
this is why i'm anti-social
Well really it's only a matter of time before Microsoft and Google own everything, and then they'll all know your password anyways, right? :)
I want to mention an experience like this I had recently which was actually good (shock/ horror/). If you use LinkedIn with Yahoo Mail (I think only with Yahoo), they will take you to Yahoo's site to log in and there is a message explaining that you are giving them limited time access to certain information. It's clear what's happening and how it is limited. You log in to Yahoo only on Yahoo's site. Personally, I found this ok as opposed to the horrifying examples like the one above (Twitter is equally bad).
Jeff, you really need to forward this to your local news channels. They usually do stories at the other end of this: "Well, the web site asked for my password so I gave it to them. Now I can't log into any of my bank, investment, mortgage, car loan, etc. web sites and Visa just called to see if I was buying something in Hong Kong."
I'm going to forward this to my local news and see what they do.
"Tonight, on Larry King Live, Jeff Atwood discusses the dangers of giving out your email password...."
In Yelp's defense - the "Skip this step" is right there. So perhaps they should re-word this like "If you want to enhance your experience but risk losing the password to your bank account"
Facebook does this too, and while it's absolutely absurd to a technology enthusiast such as yourself, you'd be surprised how many _veteran_ (but casual) internet users are willing to give out their email account information to a "trusted" website. I think the website creates an image of the company running it that prevents the users from realizing that all that was created by people just like themselves, albeit more knowledgeable about technology.
That said, about the "email address book sharing" you want, CSV files should be standardized for this use. Facebook, Yelp and other sites like them should allow for the uploading of CSV files with a list of contacts. Additionally, there should be a standard by which you can give your email address and an "address book password", which allows the website to retrieve your email address book without having complete access to your account.
Facebook also asked for my "live messenger" id, and I accepted.
But I changed that password before and after I let the site check my friends :)
It's a very bad practice, but how so convenient to add contacts to a social website...
Forget Yelp, IMHO Facebook is the big brother in this respect. Absolutely shocking.
Perhaps, web2.5 sites should implement something like a payment gateway system, wherein I am redirected to the source sites page, do my authentication theere and a one-time authorization of what info I want to share.
If we can do it for payment, it should happen.
That way we can have a track of what info we shared, much less, there's no need to share out passwords
"Well really it's only a matter of time before Microsoft and Google own everything, and then they'll all know your password anyways, right? :)"
Interesting point. I once created a "Yahoo Answers" account, just to see what the fuss was about.
When I created a Flickr account, it too, was a member of the yahoo network, so I used the same login.
Now I wish I didn't. My pictures are linked to the topics I'm interested in. :(
Wouldn't it be cool if, instead of your email credentials, Yelp (or any site like it) could use your Facebook/MySpace/MySocialNetworkingSiteOfChoice credentials to find your friends? I know for a fact I don't keep my financial info stored on my Facebook profile, and I message more friends through social networking sites than I do through email anyway.
Agreed, and Twitter tried the same thing. Only an utterly retarded individual would even consider doing such a thing. What we need is a standard format for address book exporting (using XML or JSON). Then we can upload that to Yelp, or whatever, if we decide we want to. It's a really simple concept.
the better solution is to have a textarea where the user simply adds their contacts (aka "friends") via a comma separated list.
the user then has the option to include a message. yes that means people need to know all their "friends" email addresses but if you put those two options in a user testing scenario I bet the textarea vs the plaxo/yelp type import solution would have a much higher success ratio.
I have a question regarding this quote:
"As a software developer, you should never ask a user for their email credentials."
Software developers typically don't have much of a say as to what they are developing - that's decided by the client.
So my question is... what legitimate steps could a software developer take if they find this practice absolutely repugnant (as I do), yet still have instructions requiring them to implement it from higher up?
From what I can see, the developer basically does what he's told or quits / is fired. Quitting may not be financially expedient in your current circumstances, and getting fired won't be good at all.
I'd just like some ideas on what WE, as software developers, can do to combat this evil, insidious practice.
I use a Yahoo! Email Notification plug-in for Firefox. It needs the email password to check periodically for new messages.
How do you feel about giving your email password to this program? Is it the same situation?
I've been thinking about this one for a while...
what I'd like to see is a web service brokerage protocol like how with OpenID you can allow/disallow services.
I tell yelp my gmail account name.
It's sends a REST request to Gmail to be a valid service.
In Gmail I see Yelps request and click "yes, but address book only"
From Gmail I can deauthorize Yelp at any time.
With tech support asking for passwords I have a simple solution. I give them the first 10 or so characters. If they can see my password on their screen it's all good, but if they need it to log in to my account... we have to escalate to someone who has authority to vary the terms and conditions. Specifically to add the bit "not disclose... except to tech support staff". Usually once they see that they become more reasonable. Possibly because in Australia we don't grant local monopolies anywhere near as often as the US does, so tech support people are aware that I can just cancel the account.
As far as spambook and similar sites wanting my gmail details... I have a gmail account specially for them. Ditto crapspace, youtube etc etc. Some sites just plain will not let you even see content without disclosing that sort of nonsense (spambook and crapspace not least amongst them).
Finally, someone says it - this ought to actually be shouted from roof-tops.
Ok, yeah, so that is awful... but
As a software developer, you should never ask a user for their email credentials.
What if you're creating a mail client? So, what's a mail client? How do you define this?
By virtue of accessing the user's email a piece of software becomes a mail client, and, as such, it becomes reasonable to ask for email credentials.
I agree with the POV in this instance, but, as software developers a more important lesson is to not take any principle as an absolute.
Facebook tried to pull the same thing on me. I'm somewhat surprised that it is still legal for them to do so.
I know i shouldn't, but i can't help to find this extremely comical! "Asking for the e-mail password is like asking for the keys to my home"! I couldn't agree more. And besides, there is always 4. How do i know that their site has not been compromised and, despite they not being storing my password, it is being sent unawarely to somewhere else?
These mail services need to support OAuth to provide authorization tokens.
I'm actually working on a client site now, and they need CSV document import for contacts, and I want to upsell import features - however it will use the new API's, and only be in AFTER the user has signed up and goes into their contacts page.
What some people seemed to have not noticed is that both Hotmail, Gmail and most other desktop clients allow you to export your contact list to a file. Now I don't know about most social sites, but Facebook allows you to upload a file from many different applications in order to search for contacts. The problem? It's not their primary option. Also, for most webmail applications the options to import/export contacts are not obvious, you have to want to find them in order to find them.
At the root of the problem is that the least secure option is provided as the default option. While it would be easy enough for a developer to change this, this would provide a greater learning for the end user and most people don't want use things that are hard to use.
Not suggesting this is a solution to the overall problem, but I'm hearing a lot of "OMG, they're going to store my password on an unsecured database somewhere and it will be hacked by the Russian mob and my identity will be stolen" sorts of fears. Technically, a way around this that I'm sure is commonly used is to store an encrypted version of the password in a cookie, and store only the key in a database. I think the odds of someone gaining access to both the database and your computer's hard drive are fairly low. Perhaps I am not paranoid enough, but personally, if a legitimate site explained to me that they were not actually storing my email and password anywhere on their servers, I would consider providing the information.
In addition to you, Fred, Google Bookmarks anyone?!