programming and human factors
by Jeff Atwood
A number of people whose opinions I greatly respect have turned me on to Yelp over the last six months or so. Yelp is a community review site, and a great way to discover cool new places in whatever neighborhood you happen to be in.
I've enjoyed using Yelp, and I wanted to participate by submitting my first review, so I created a new account there. As part of the account creation process, I was presented with this.
The idea is that I tell Yelp what email service I use, then provide my login and password information so Yelp can determine if any of my email contacts are Yelp members. How convenient!
Here's how I see that page.
I'm willing to give Yelp the benefit of the doubt here, but let's think about what it means to give out your email account and password to anyone, no matter how ostensibly trustworthy they may be:
I don't think so.
Frankly, it's irresponsible to even ask this question. Naive internet users may not understand why it is such a profoundly bad idea to give out their email credentials to random websites. Worse, they might eventually get the idea that giving out their email credentials is typical or normal.
It's not. This is outlined quite literally in most privacy policies:
The security of your account also depends on keeping your account password confidential, and you should not share your account name or password with anyone. If you do share your account information with a third party, they will have access to your account and your personal information. -- Google CheckoutIf a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always choose to log out before leaving a site or service to protect access to your information from subsequent users. -- Microsoft Passport
Your Yahoo! ID and password are confidential information. A Yahoo! employee will never ask you for your password in an unsolicited phone call or email. Do not respond to any message that asks for your password. -- Yahoo
How did we end up in a world where it's even remotely acceptable to ask for someone's email credentials? What happened to all those years we spent establishing privacy policies to protect our users? What happened to the fundamental tenet of security common sense that says giving out your password, under any circumstances, is a bad idea?
I can understand the cutthroat desire to build monetizable "friend" networks by any means necessary. Even if it means encouraging your users to cough up their login credentials to competing websites. But how can I take your privacy policies seriously if you aren't willing to treat your competitors' login credentials with the very same respect that you treat your own? That's just lip service.
Email is the de-facto master password for a huge swath of your online identity. Tread carefully:
Beyond those ethical guidelines, I do wonder why the technological solution to this problem has barely been addressed. If all Yelp wants is my address book, why can't I grant them temporary access to my public email address book without giving out the keys to my email kingdom?
If even a fraction of the coding effort that regularly goes into convincing people to cough up their email or website login credentials went into finding other, more reasonable solutions to this problem -- perhaps we could have arrived at a saner solution by now. And we can start by taking obnoxious, utterly inappropriate credential requests completely off the table.
UPDATE: Several commenters brought to light some efforts underway to address this pernicious problem:
A more general solution may be OAuth, billed as an open standard for API access delegation. In other words, a valet key for websites:
Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.
Chris Messina of the OAuth project was kind enough to provide a number of related links in the comments and a followup post on the OAuth blog as well.
I was encouraged to learn about some of the recent progress we've made on this front. If you were looking for a way to be part of the solution, instead of the problem, read up on these solutions and participate!
Hey Jeff,
You can read more about this anti-pattern here: http://adactio.com/journal/1357
The article references oAuth (http://oauth.net/) as one technical solution to the problem--essentially getting temporary permission from users to view their address book via APIs. Users would only enter their password on the providers site.
Here's more information about how the Google and Yahoo APIs work:
http://developer.yahoo.com/auth/user.html
http://code.google.com/apis/accounts/docs/AuthForWebApps.html
Cheers,
Tom
Good catch Jeff. Great analogy too (keys to house for address book).
I did an informal survey not long ago asking people if they used the same password everywhere. A significant minority did.
David Alison on June 5, 2008 9:34 AMSomeone made the comment about IM clients asking for email/password. For some reason I don't have a problem with putting my details into Adium, or Pidgin, or even a web service like Meebo. Yet when Facebook asked me for the same details when signing up for an account I stopped short. Why?
I think the problem isn't so much that a site might want you to enter your user/pass per se, but whether it is an appropriate context for it to ask you. A complementary issue is that individual services, such as maintaining a set of contacts for you or an IM account, aren't sufficiently decoupled from the email accounts they pertain to. If you had a separate user/pass for the particular service you were accessing, you wouldn't mind so much when prompted for those. I applaud the use of OAuth to combat the password anti-pattern (and decry the essentially spammy practice by Facebook, Yelp etc of doing it in the first place), but there are occasions, even with the advent of these good new conventions, when most people will still give their credentials to third-party sites. Should Meebo implement OAuth rather than ask for my Gmail account details so I can use Google Talk? Where do we draw the line?
Douglas Greenshields on June 5, 2008 9:39 AMSecret passwords should never be given out to anyone. All you are doing is lowering the guard of unsuspecting Users and making it acceptable to hand these passwords out when asked.
fxp on June 5, 2008 9:41 AMIsn't this a solved problem? When I switched from Yahoo email to Gmail, I just clicked to export my Yahoo contacts as a CSV file, then uploaded the file to Gmail. Both email providers made this easy for me.
Any reason why I can't do the same for a social site? They could include easy-to-follow instructions...
Nathan Long on June 5, 2008 9:43 AM@J Liles "Not suggesting this is a solution to the overall problem, but I'm hearing a lot of "OMG, they're going to store my password on an unsecured database somewhere and it will be hacked by the Russian mob and my identity will be stolen" sorts of fears. snip Perhaps I am not paranoid enough, but personally, if a legitimate site explained to me that they were not actually storing my email and password anywhere on their servers, I would consider providing the information."
I'm just wonder what constitutes a "legimate site".
While I'm concerned about the "Russian mob" and all other "mobs" looking to get my info, I'm far more concerned about "Bob the employee" getting it since it is considerably easier to get at something inside the house if I'm inside the house than if I have to break in the house.
Anytime a website starts asking me for info, I'm concerned. Obviously there has to be some level of trust on the part of the information provider. But sometimes I suspect they ask me for info because it is convenient and useful for THEM not so my personal experience will be better. I'm not paranoid, but I do question the motivation of some sites.
Hefty Smurf on June 5, 2008 9:48 AMSo why do you trust that "treasure trove of highly sensitive financial and personal information" of yours to Google? How much do you really know about how carefully Google guards your personal data, or how many of its employees have access to it? Why is it safer to trust Google with access to this information than Facebook, for example?
greenyoda on June 5, 2008 9:54 AMParanoia will destroy-ya.
superjason on June 5, 2008 9:54 AMSomeone mentioned Adium (instant messaging client). Of course it's OK to enter all your accounts into Adium. The developers of Adium don't see your passwords. AOL doesn't see your MSN password. Google doesn't see your Yahoo password. Etcetera. They are stored encrypted on your hard drive and only given out to the originating services.
Chris L on June 5, 2008 9:54 AMIt's crazy how important your email address is when you stop to think about it. I never like those forms either. You hear stories in the news all the time about 'lost laptops' containing 'thousands of users information' and such. The last thing I need is someone getting into my email and gaining access to all my information.
Tim Jahn on June 5, 2008 9:59 AMGreat post. Not only is it a bad idea to give out your e-mail password to just any site, but its also a bad idea to use your e-mail password as your login password on a new site when your username on that site will be your e-mail address. The next logical step for anyone who gains access to that database is to guess that your password for their site is also your e-mail password (as I blogged about, similar to your post here - http://bryanhales.com/archive/2008/04/11/an-easy-way-to-have-your-identity-stolen.aspx)
Bryan on June 5, 2008 10:07 AMamen. so many projects i've worked on recently list this as a necessary feature. i try to convince them that it's a bad idea but i rarely win the argument. i'm told it's a necessary feature since everyone else does it.
FAIL
Excellent article. Well done.
Imma head outside now and tell people, YOU MIGHT HAVE FRIENDS WITH THE SAME BANK ACCOUNT BALANCE AS YOU! GIVE ME YOUR CARD AND PIN FOR 10 MINUTES AND ILL CHECK TO SEE WHO DOES!
See how long it takes me to get arrested.
dnm on June 5, 2008 10:13 AMThe Yelp-ers are ex-PayPal-ers, and they will remember exactly the difficulty PayPal had in their pre-part-of-eBay years getting users to supply their eBay signon information. PayPal was able to do a great many useful things for people if they could sign on to eBay on their users behalf - monitor auctions, send invoices automatically, provide statements with details, etc - but there was a security risk involved.
However signing on to someone's eBay account isn't as dramatic as signing on to someone's email account. If I log in as you into eBay, about the worst thing I can do is screw up your eBay reputation (that is not nothing, but it isn't that bad). However if I log in as you into your email account, I can learn all sorts of things about you, personal and business, and probably recover a whole bunch of your passwords to other sites. I agree I would never do this.
Ole Eichhorn on June 5, 2008 10:13 AMI don't see the problem.
1) Just click "skip this step".
2) According to the screen then don't keep your email credentials. They likely do a one-time lookup and then cross reference to people in your address book. Then they throw away the credentials info. Sure, you have to trust that they are telling the truth. But why would they lie about it?
Typical mountain out of a molehill.
Matt on June 5, 2008 10:17 AMThere is something you can do. I work in an environment where sharing your credentials isn't only a bad idea, but its a crime. However there are other government site that still ask for your credentials to verify this or that thing. In the event this happens and I can't avoid it, I hand over the credentials and promptly change my password.
The same rule can be applied to yelp and its ilk. If you are REALLY attached to your password, you can change it first, hand it over, then change it back.
Not ideal and you are right, its bad form to ask for full credentials, but there is a way around the individual security flaw.
However as you said, this practice is training users to hand over the keys and think its normal and ok.
Scot McPherson on June 5, 2008 10:18 AMPlease see my followup, titled Customers trust you, even if you don't deserve it:
http://www.ytechie.com/2008/06/customers-trust-you-even-if-you-dont-deserve-it.html
superjason on June 5, 2008 10:33 AM"Only slightly less well known," and not nearly as sinister, but still a potential breach of security at most and bad netiquette at least is all those grapevine emails that contain dozens of email addresses from people who have 2 or more degrees of separation. I wouldn't expect anyone's grandmother to know how to edit that stuff out, but where are the email settings that at least hide and best remove all those headers? Better yet, how about "Use BCC when I forward to this group"?
Foozinator on June 5, 2008 10:59 AMYou're so right, in my opinion you have to be pretty dumb or really new to the internet in order to provide such a valiable resource to some lame ass site you found 5 minites ago.
It's the same thing with viruses, they ask you to click and people like morons actually do click. Remember the "I love you virus"?! Oh, someone loves me, I will open the pandora box now.
P.S: Jeff, just got the stickers, amazing quality. Where do you have them made?
Even if there is a better way of providing address book information I'd hesitate to do so. How do I know they aren't building a spam list?
Do what FOAF does and hash the mail addresses. They you can be linked automatically to anyone you know who already is on the network, but emailing other people about the network is up to the customer, as it should be.
Pete Kirkham on June 5, 2008 11:00 AMI'm starting to see this alot as well. The worst i saw was a "Centralized one stop banking" or something where, by providing your login credentials to your other bank accounts, you'd be able to manage them all in one place.
That's going a little too far.
Bobby on June 5, 2008 11:01 AMEven though its been said already I'm throwing in a vote for OAuth. The spec is simple and most of it is based on HTTP best practices. Here is a link directly to the 1.0 spec:
OAuth is also being used by OpenSocial which is a good sign of its uptake: http://blog.oauth.net/2007/11/07/oauth-and-opensocial/
I currently developed an OAuth server and it only took me a couple of days (with the help of the ruby oauth gem) but most of that time was spent getting it working with Merb.
Eric Allam on June 5, 2008 11:09 AMJeff - If you think Yelp is bad, consider Mint.com, a site that asks you for the usernames and passwords for your online Bank, Brokerage, Mortgage, and other financial accounts.
I signed up with them cautiously - mostly as an experiment - and gave them the credentials of two non-significant accounts.
Then, without my explicit authorization, they sent me a "Weekly Summary" of my account balances into my e-mail inbox. Breach #1. My thought - how can I trust these guys. Here's what ensued - taken from my e-mail to them:
"First you sent me a weekly summary by default. How dare you - what gives you the right?
I felt this was a major breach of security for me because my financial status was sent over plain email. Yikes - I thought to myself - I can't trust these guys with my sensitive data - maybe I should cancel..
Instead, I give you the benefit of the doubt and I turned off the weekly update by logging into my account and editing the settings.
And now, exactly 1 week later, you sent the weekly summary AGAIN. Maybe you've got a bug, in which case your systems aren't properly tested, or perhaps your UI was unclear, in which case you should have invested more time finding usability issues. In any case - shame on you guys for being so careless with my very personal info.
You've confirmed my worst fears about your service (I really hesitated giving you all my usernames and passwords), and you've made me wonder "what's under the hood?"
I will be canceling my account asap.
And [in replying to your original e-mail] I'm guessing whoever does customer service can scroll down and see my financial summary too....
Why is this ok?"
What, me worry??
I thought you were all about web 2.0... no? hahaha! Not going to swallow the "people have no reasonable expectation of privacy today so i'll just throw it away anyways" argument?
=)
John G on June 5, 2008 11:13 AMTotally agree with you. I am a total security paranoid and I never understood why people would share there info this easy. People who dont live on the internet will start to think its normal to enter your details on any website.
Dieter on June 5, 2008 11:16 AMWhy not just use a standard address book import/export file?
Marcio on June 5, 2008 11:18 AM@Jeff somewhere above: "Skip this step" is a fricking text link, not a button. Which one is the average user more likely to click on? Did they get that little trick from GoDaddy.com or something?
Todd Rafferty on June 5, 2008 11:19 AMThis reminds me of how credit currently works. If you want credit you give out your social security number.
gs on June 5, 2008 11:28 AMSites like Gmail deserve some of the blame here. They don't give you a way to walk your data out the front door and give it to someone. This forces sites like Yelp and Facebook to ask for the keys to your house.
Gmail/Yahoo/MSN/AIM and Banks are the only parties that can fix this. Or we can simply stop using those services (good luck to you on that!).
Gareth on June 5, 2008 11:31 AMACAP (RFC 2244) access to address book information could make all (or part) of your address book available to whomever you wanted. If only email clients supported ACAP...or if there were more server implementations...
Of course, even allowing a small portion of your address book to be shared could present spammers with a gold mine for new addresses if not done very carefully.
Kevin on June 5, 2008 11:44 AMJeff, nice post - indeed, this is ridiculous.
Regarding Facebook and LinkedIn, I really don't see where this pattern is in use. Maybe I don't use these sites to the extent so that I see this pattern... what I do notice is that it requires an email address as a *username*, but not necessarily your specific *email* password; obviously it should be different.
Patrick on June 5, 2008 11:45 AMTo those who ask: "I need to give my email-password to thunderbird, isn' t that evil, too, is it?"
I think one needs to distinguish two types of trust (or insecurity):
The necessary insecurity and the unnecessary.
It is necessary to trust the email client enough to give him your password, because it would be impossible for the email-client to get your emails without your password. (I do not distinguish entering the password once and storing it and entering it everytime, as I can steal it in both cases if I want).
Furthermore, I think that getting your emails manually and passing them to the client manually somehow kinda defeats the point of some email-client.
Thus, /the email-client cannot work properly without that mail password/.
On the other hand, there are sites like Yelp and similar. Giving your password into their greasy fingers is some unnecessary insecurity, as it is perfectly possible to get the contact list without your password.
Furthermore, just feeding the contact list in there manually does not defeat the point of such a site (that is, meet other people), as it is done once and never again.
Thus, /social networking sites do not need your mail password at all/!
And still, those social networking sites demand your password and refuse to work without it. Exactly this behavior is the problem Jeff wants to point out - and I agree on him with that.
Hk on June 5, 2008 11:46 AMLinkedin does this also and it sucks. Because now every time I login and get presented with people who are on linkedin but I did not want to extend a inmail connection to. Basically, people who I hate or do not wish to connect with. But NOOO! Every time I log in I need to know that my ex-ding-a-link-boss is on linkedin. I wish there was a way to turn it off.
techustle on June 5, 2008 11:56 AMOf course, we all know Jeff's email password is "orange".
Andy on June 5, 2008 12:08 PMI've seen those options at Xing or Linkedin instead of Yelp. I'm not sure about the risk of using it...
ghostmou on June 5, 2008 12:19 PMAsking the user to go to Live, log in, get their API key and give it to you is unfortunately asking for the user to do too much.
You have to realize that the majority of users are Lazy fricken people that have no clue how to figure out getting their API key from Live. Even if you provide step by step instructions... it's too much. You made them Think, so they move on.
Brian on June 5, 2008 12:24 PMI completely agree; the only software I will give my email credentials resides on my PC and possibly is open source. I trust no one for this sort of things.
And I DO find dangerous the fact that naive people could become used to think asking this sort of things is ok...
A new "social networking for babies site", totspot.com, went live today and their home page has exactly the same feature as well.
Given that I don't really need the site, and given that the demonstrated lack of concern for security, I've asked for my account to be removed (although I have NOT provided them with an address).
David on June 5, 2008 12:43 PMHere is an idea. Just an idea. Do not keep sensitive personal information in your web mail inbox. The argument which goes like "Sure, Yelp means well but how do I know they won't misuse my personal information" can be extended to Gmail, Yahoo, Hotmail or any other web-based service which requires a surrender of personal privacy as a price for "free" service.
I use gmail extensively but never keep anything sensitive in my inbox.
It is beyond me that Gmail, Facebook and others have convinced the masses that we live in oh-so-fuzzy-and-friendly world of online love and interconnectedness, which is primarily used to stuff our throats with useless advertising. I know, advertisers and google board members have to eat too.
BugFree on June 5, 2008 12:56 PMI agree this is a big problem. But I also think there is the obvious, if you are lazy and want them to pull your contacts anyways. Just change your password before using the service. Then change it back afterwards.
anonymous on June 5, 2008 1:01 PMI'm surprised I haven't seen this comment (or I missed it in scanning) -
In addition to the FAIL reaction, my first instinct on any form with important information is to look for the https session...the forms I've seen don't have it. So, not only are you trusting the site, but also the network.
The lack of https on a form with username and password upgraded the FAIL to EPIC FAIL for me.
KungFuGrip on June 5, 2008 1:12 PMIf your email account is at gmail, google has your password.
A simple alternative is to have a secondary email account that has just "shareable" contacts. Granted, this is more than a user should have to do (I'm a fan of simply uploading .csv files) but it has the advantage that it will work for pretty much any of the existing sites that do this type of thing.
Sumudu on June 5, 2008 1:23 PMNow a lot of folk in here are developers, so you guys will disagree, however, I think y'all are making too much out of this issue.
1. On the average day, I log into 25+ sites/programs/gateways, etc. So are we really saying I should use 25+ passwords? I know the premise behind the "don't use one password" rule, but it isn't very practical is it?
2. Again, we're talking about "social" sites here. If you guys don't have a social email separate from a business email, then that's the problem right there.
3. It takes 7 seconds to log into Gmail and change a password. So, to go forward then back, that's a whopping 14 seconds.
I agree it's a big problem, but there is a bit of common sense that goes into these things. With everything involving a third party, there is going to be a level of risk associate. How many people live in apartments, where maintenance can move in and out? It's accepted risk.
There are paranoid folks that don't show their ID when making a credit card purchase; there are folks that don't use credit cards; there are folks living in caves. Does that mean, we all should, no?
The majority of people are gonna get hooked when they try to "log in" to PayPal at http://203.999.999.999/paypal/.
And to close, why trust anybody? The majority of things I sign up for come through my Gmail address. And we know a lot of sites initially sent usernames and passwords. Gmail can "read" your email to do context-sensitive ads, so who's to say what else they do? What does the "delete" button really do?
I say stop being OVERLY (keyword) paranoid here and just exercise a lil' bit of common sense. And BTW, yes I use Mint and give them all the passwords to all my online banking accounts.
Baz L on June 5, 2008 1:36 PMCouldn't agree more. I did a (somewhat unscientific) study of this practice a while back (http://www.bitcurrent.com/?p=14); even those who claimed to have cleaned up their acts (the big social guys) were doing it.
It was interesting to see that on top of this practice, many of those sites weren't using SSL encryption retrieve the password (which the original messaging site did) so you were sending a Gmail password in plaintext despite Google's best efforts.
There are technical problems with this too. Look at Notchup (which peaked and tanked really fast) -- their model had people repeatedly getting invites because they weren't willing to de-duplicate sending.
Alistair Croll on June 5, 2008 1:43 PMI wrote this exact same rant in March!
"We promise we won't store your password"
http://isisblogs.poly.edu/2008/03/30/we-promise-we-wont-store-your-password/
Yes, I find it rather poor that sites request this info. Both the LinkedIn.com and Plurk.com websites do this same thing to automatically pull in your friendslist. I never do it either.
Chris Pietschmann on June 5, 2008 1:48 PM Here is an idea. Just an idea. Do not keep sensitive personal
information in your web mail inbox.
You must have missed part of the post. The issue isn't that they might go scrape existing personal info out of your mailbox. The issue is that your main email account is essentially your master password file for the entire internet. Even if you keep your inbox totally clean, you are not safe. All someone has to do is go to various useful account holders around the net (eg: Facebook, WorldofWarcraft.com, ebay, etc), follow the "forgot my passoword / account name" link, and said info will be freshly mailed into that inbox for them.
I don't know about Facebook and ebay scammers, but I know the gold farmers that plague World of Warcraft would love to do this to you if you let them. They just recently stole thousands of WoW accounts via a flash exploit they posted on sites WoW players hang out. Doing something like this Yelp thing (or just hacking into Yelp's servers where your password is stored) would be cake for them.
T.E.D. on June 6, 2008 2:06 AMI think that one piece of the puzzle is being missed here:
Many users of social network sites WANT this. They are more concerned about being able to easily import their contacts than they are about keeping their email secure.
So what do you do? Provide the tool that the users want, or lose them to someone who does?
"Someone mentioned Adium (instant messaging client). Of course it's OK to enter all your accounts into Adium. The developers of Adium don't see your passwords. AOL doesn't see your MSN password. Google doesn't see your Yahoo password. Etcetera. They are stored encrypted on your hard drive and only given out to the originating services."
This is likely the case, and as Adium is open source it's possible to check (not possible, really, for everyone, but that's by-the-by). My point was that you need to trust the Adium developers that they aren't harvesting your information for malevolent ends, just like you'd need to trust Facebook. So if Adium is OK, is a web-based IM client like Meebo (setting aside, for the moment, that they don't use SSL)? Hk's comment above puts it quite well.
Douglas Greenshields on June 6, 2008 4:02 AMI wholeheartedly agree.
steven512 on June 6, 2008 4:48 AMWell, it's just a matter of you "Do you trust them?". E.g. you can also tell Google Mail to fetch all your mails from another e-mail account via POP3. In that case they'll need your master password, too. On the other hand, if you don't trust Google Mail, you should not even use it, because they will get all your mails (with all your passwords) anyway if you use it actively.
People hand out sensitive data way too easily these days. Often you just need to ask for it and they will tell you without even thinking for 2 seconds that this might be not a good idea at all. E.g. in Europe EC-Cards are much more important than credit cards. Everyone has one and almost every store takes them (credit cards are usually only accepted by some restaurants and by very little stores). In some stores you still pay with them by signing a bill (just like with credit card), however most stores have an online system today. The card is scanned and you are prompted for the card's pin. Some card data and the pin are calculated to a secret key, an online connection is established to the bank and some challenge/response is performed to verify the validity of the card's data, of the pin, and last but not least the bank will also say if a transfer of that much money is authorized.
Since you can also use EC cards to get cash (not just for shopping), if you have the card and know the pin, you can easily clear the bank account. Copying an EC card takes a couple of seconds and there are devices that will do so for little money. The only thing that protects your bank account from abuse is the pin. All security depends on that pin.
Here's a real life story: I was at a supermarket, buying some groceries. The guy in front of me paid by EC card. He gave the card to the cashier and then placed more stuff into his shopping card, not looking what the cashier is doing with his card. She could have copied it, the guy had never noticed. Now the cashier says "Sir, would you please enter your pin at the terminal?" and he, still busy rearanging bags in his shopping card, replies "Just enter XXXX, that's my pin". I have heard it, everyone behind me has, and the cashier entered the pin on behalf of the customer. If she had copied the card, she now would have the pin and could go on a nice shopping trip.
Most people have no sense for sensitive data nowaydays. And that is the reason why governments are spying on their citizens that much (every year citizen get less privacy and government organizations get more authorizations), as the citizens don't care. I wait for the day someone puts his credit card number on Facebook saying "Here's my VISA number ..., but please, don't abuse it".
Mecki on June 6, 2008 4:53 AMHi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.
Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me from your blog.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.
Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me from your blog.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.
Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me from your blog.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.
Communist, damn communist!
Mac on June 6, 2008 5:41 AMOne possible solution could be to allow users to upload their address book meta files in csv or outlook/vcf formats. For eg. gmail allows you to export your contacts in many formats. Sites that want to search your contacts can use this as a reference.
Ajo Paul on June 6, 2008 5:51 AMI came across one of these the other day. Someone sent a link to me via live messenger and that was the first page I was greated with. The url reported to hold photos belonging to that person. My friend wasnt online at the time, so I couldnt ask why they trust it. I just stopped and thought exactly like you Jeff, why the hell do you expect me to trust you with my email password. Its like giving them a rubber glove and bending over!
Matt on June 6, 2008 7:55 AMI'm going to break my golden rule and not read through the other 172 comments. Why? Because, *even if other people have pointed this out,* it bears repeating.
Get a second email address for these things. It really isn't that difficult to notice that "things that might cost me money through fraud" and "things that are way cool because they're so, like, you know, Web 2.0" fall into separate categories.
Why on earth should they not fall into separate email boxen?
real_aardvark on June 6, 2008 8:15 AMI once worked for a site that required registration.
As an experiment I compared our user passwords and email addresses and logged into several on line email accounts belonging to our users (I didn't open individual mails). Not quiet the same but just goes to show how uneducated and stupid users can be. Never use the same password for your email and any other site that has your email address(ie all). You just don't know who has access.
StumbleUpon does the similar. I wrote post about that http://www.conwex.info/blog/index.php/2008/01/08/stumbleupon-privacy-risks/.
Much more, if you choose Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your browser; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.
Many other Social Networking sites do similar.
Dragan on June 6, 2008 8:53 AM@Hrishi: I think you misunderstood the purpose of this blog. (Four times, even! Heheheh.)
Adam on June 6, 2008 10:18 AMI have no problem with sites that use Passport authentication - redirecting you to Windows Live to login with a single sign on that works across multiple applications that's still safe to use because you're actually on Microsoft's site when you log in. Maybe Google should come up with something like that. (Unless they already have, in which case I need to read up more on Google's services)
Joe Enos on June 6, 2008 10:21 AMI once had someone refer me to a website (likely an automagic email sent by pressing a button).
It was a networking site very similar to linked in...
and it actually asked for my linkedin password.
They seemed like a direct competitor, yet they had the balls to ask for access to my linked in account?
Very bizzare, big fail, and obviously I closed my browser window on that one.
duh
Just because I want to vent along with everyone else, the other problem with a site like this is that now you've given out all your friends emails. Sure, they say they won't spam you, but you need to define spam.
Reunion.com has recently been sending me a slew of emails because someone must have done something like this. Sure, Reunion.com doesn't consider it spam. But I sure do!
(Especially after having gotten 4-5 messages like "Hey, your friend Mike has tried to get hold of you. Sign up now to see what they want.")
(uh, text not exactly quoted.)
Whew. thanks. I vented, pointed fingers, and everything else. I feel better.
I'm surprised this was news to you. ZILLIONS of sites do this. I like the way they are so cavalier about it, they don't even promise not to store your PW. They make it seem normal - like everyone does it. And they do.
George Lucas on June 6, 2008 11:02 AMInteresting that Yelp doesn't get the part of Web 2.0 where you have to sack up, face, and then respond to this type of criticism?
Silently watching this thread and not saying anything... which should be sufficient confirmation that this is a truly implementation that someone in their position should know better about. Sad.
Pip up bitches, get contrite. Your credibility wanes.
Grant on June 6, 2008 11:10 AMWho said that e-mail should be used for anything important?
Besides, multiple accounts are not too hard to manage: ones for cheap insecure entertainment stuff, others - for something you wouldn't discuss on a public troll and phish infected forum.
@Jem I agree that it's infuriating to have the result of an "I forgot my password" function sending your password in plain text. Don't people know that email is so damn easy to intercept? If a site's security policy allows the sending of plain text passwords in email, then how secure is the rest of their system?
I was thrilled to see that RescueTime not only didn't email passwords as plain text but mocked those who do:
http://twitter.com/dharrels/statuses/792009363
@George Lucas: Considering Jeff's previous post on this topic, I don't think it's that new to him...
Adam on June 6, 2008 1:22 PM"If I tell you my email address is scott@gmail.com (which its not), the website should be smart enough to see @gmail.com, and think... oh, he's using Gmail!"
The trouble with that one is Google Apps For Your Domain.
"Any reason why I can't do [contact export/intput] for a social site? They could include easy-to-follow instructions..."
I would suspect switching to another application alone is too annoying for most users. You want the barrier to entry to be as low as possible (someone should tell that to the people who insist on harvesting massive amounts of data on registration forms to post a comment).
To the people who don't see this as a problem - sure you can change your password before and after, but people don't think too much. And the more services that do this the more people think it's normal, don't batter an eyelid and blindingly enter their password on any and every site that asks. And that will include a portion of people who use a different password for their email (I know people that do both) so you'll get wider coverage and more assurance than trying out peoples registered passwords against their email.
[ICR] on June 6, 2008 1:33 PMCouldn't agree more!
I wanted to use a similar setup for LinkedIn a few months ago. I'm glad they offered my a .csv file option as the last thing I was willing to do was to give out my login information. No one, except my Wife, is trustworthy enough to have that much information.
Frazell Thomas on June 6, 2008 1:34 PM"I'd just like some ideas on what WE, as software developers, can do to combat this evil, insidious practice."
I'd say if it's likely you're going to get into this situation take a good look at the alternatives first. Things like OAuth and OpenSocial. Learn how they're implemented and how you would integrate them. Then when you're asked to do this you can point out the flaws, the alternatives and assure them you already know how to implement them. Though needlessly learning the technology is time consuming. At least know what they are.
[ICR] on June 6, 2008 1:38 PM"I think that one piece of the puzzle is being missed here:
Many users of social network sites WANT this. They are more concerned about being able to easily import their contacts than they are about keeping their email secure.
So what do you do? Provide the tool that the users want, or lose them to someone who does?"
I don't really see many people not using a social networking site because they lack this feature. Mainly it's a tool used to increase activity on these sites as a direct result of using the tool.
But even if that was the case, there comes a point when yes, you may want to deny your users a tool of convenience that leads to a culture of insecurity while you lobby for a safer alternative, rather than provide that tool and become part of the problem. But I guess it depends on whether or not milking every possible penny is more important than maintaining any kind of principals.
Gerald on June 7, 2008 2:58 AMWhat about the chat (Google Talk) portion in the sidebar of Gmail that allows the integration of AIM contacts?
What do they ask for?
1. AIM screenname
2. AIM password
:-(
@Robert: Google has partnered with AOL for that feature, so rest assured that it is safe. ;)
Fyora on June 7, 2008 8:48 AMi like the 'valet key' idea. one could have exactly one, to re-use with every entity, so it's not like one would have a ton of new passwords to remember. in fact, depending on how it was set up, one could even use it oneself on a public machine, if all one wished to do was check something not-terribly-sensitive.
for my job, i have a vendor in france who has had this very thing at least since i first started using them about eight years ago. i give that password to support staff. another of my vendors has me administer our account, assigning privileges and passwords to support staff, which has the same net effect -- that is more work for me, but allows me to customize privileges.
thorn on June 7, 2008 9:51 AMCafepress does the same thing when you buy an item, asking for the password for your email account so you can invite friends from your contact list. Of course there is a 'Skip' option, but I wonder how many people are actually dumb enough to put in their password.
How come they all have the same screen. It looks to me like they are all using a pluggin, or perhaps screen from their library, provided by italicsomebody else/italic.
Trusting a third party, and another third part chosen by them. Help.
Of course, this would only be a problem in a world with problems with identity theft, credit card fraud, and inappropriate commercial use of personal information for corporate gain. Luckily we don't live in a world like that!
Peter on June 7, 2008 12:16 PMVery funny I wrote a few days ago:
http://www.q-software-solutions.de/hiki/?2008-05-01
I stopped using any consumer cards, stopped collecting values stamps and all that kind of stuff. The only "benefits" of this BigBrother community stuff, I can see are giving even more food for Spam and worse things...
Idiotic
Friedrich
Yeah, I saw that site recently. Nearly signed up, too.
But my email password? Not happenin' Jack!
BillinDetroit on June 8, 2008 2:14 AMLMAO - I LOVE that screenshot "here's how I see that page"
I could not agree more with the article though, they're not the only people who do it - as far as I remember twitter do it to and actually make it impossible to avoid completing this form, the only way I was able to get past it was to enter a fake email address and password.
At least Yelp offer a 'skip this step' link
John on June 8, 2008 11:40 AMWhy wud one like to share their password with Any Site (either trust worthy or some email hacking Tool), just to check whether their contacts are there on this site or not???
Its totally ridiculous!!!
Getting social on these kind of sites is nice but not at the cost of sharing ( or giving ) my Email password. NO WAY MAN!!!!
Neways Nice post.
Ruvi on June 9, 2008 4:31 AMThank you Mecki, that's what I was getting at.
I'm not arguing that these sites are right, but when did client responsibility go out the door?
Why bad-mouth LinkedIn and Facebook, but give GMail our POP passwords to other accounts to scrape everything?
My question is simply this: Why is Google Good and LinkedIn/Facebook evil?
Baz L on June 9, 2008 6:51 AMI agree. That is really intrusive. I've been using Yelp for the last year+ (though writing markedly less reviews over the past 6 months) so must have missed that crazy sign-up page. My head would have probably set on fire if I had encountered that screen, so Jeff, I applaud you for not smashing every item in your office like the Incredible Hulk. Good restraint.
Stephen Rylander on June 9, 2008 9:41 AMTwitter asks for the same information ostensibly for the same "ease of use" reason since it's a whole lot easier than typing in your address book. I however, am reluctant to give my e-mail address to my wife let alone some web-fad-of-the-day. They should really allow an import address book option if you don't want them to root through your address book and have your password.
Louis on June 9, 2008 10:44 AMHey there, really love your site, please keep up the great work!
BUT, didn't you write about this exact same thing last year???
http://www.codinghorror.com/blog/archives/000953.html
Tom on June 9, 2008 12:59 PMhey Jeff -
i'm a bit late to the party (sorry running the Graphing Social Patterns East conference last few days), however i posted some related thoughts on this a few weeks back here:
http://500hats.typepad.com/500blogs/2008/05/memo-to-google.html
"Memo to Google, Yahoo, Microsoft, AOL: How to Turn 500M email logins into Facebook Platform a Crapload of Revenue"
the idea is to use 3rd-party access to messaging data stores (ie, your Gmail / Hotmail / Yahoomail accounts) combine that with data on messaging frequency keyword relevance to CONSTRAIN the # of relevant people in your network to only the top 3-10.
with this method, websites don't need to mine your entire address book, they just need to popup or share a list of your most relevant contacts, based on the relevant context.
in other words: less is more :)
- dave mcclure
I've run into a couple of websites that ask this. With some of them, you can skip this step but not all. It seems very invasive.
Liz on June 11, 2008 2:39 AMI never thought about this before. I'm an amateur web dev but I have never thought about it this way.
I guess even if it takes longer, I can still look myself.
http://www.ymessengerblog.com/blog/2008/06/13/new-improved-import-contacts-feature/
random on June 13, 2008 5:06 AMI made the error of giving out my password when I signed up for Twitter. Later that day my Yahoo email stopped working. Then I get a call from the bank to verify some suspicious charges. You guessed it - someone hacked my email account from the credentials I gave on Twitter and ran up over $2k on one of my credit cards. Thankfully I straigtened everything out, but I never got my yahoo password back. I sent an email to Twitter support about this and later I got a response that stated:
"Hi,
Thanks for your email. We think we've fixed the bug that caused this problem. If you're still having issues, please let us know. Thanks for your patience, and happy Twittering!
Cheers,
Twitter Support"
I'm not saying Twitter was at fault but from that email you can draw your own conclusions. NEVER ever ever give out your email password, no matter how trusted the site may seem.
Seth Young on June 13, 2008 9:36 AMExcellent article. Thanks for the alerts.
The Contacs-API solution is not a reliable one. How does a web user know what is done in the background? Whether the API is used or not?
How does one know / ensure that the password is *not stored* ?
I could build a site, that invokes the API, and still stores the passwords.
As the main article says, better *not* to give them our email passwords.
For individual logins for different sites, OpenID could be a convenient solution.
Ranganathan on June 13, 2008 1:25 PMhttp://gregorytomlinson.com/encoded/2008/06/16/here-are-my-passwords/
Gregory on June 16, 2008 12:00 PMAgreed wholehartedly. Note that it is possible to change your email's account password, enter the new password, let Yelp scavenge your email account, and then change your password back.
Ruudjah on June 17, 2008 9:13 AMOne workaround: change your password temporarily, give it to a site you TRUST, let it snarf your contact list, then change your password back.
It's better than just handing over your regular password (but not much).
Common dude just change the password after :| Unless you think that have have something that will open your inbox and scan all your emais right away......
hello on June 19, 2008 2:08 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |