I agree - these types of scenaros make me feel very uncomfortable.

Perhaps a useful way forwards would be standard e-mail provider API that could be queried to provide the information needed without giving any other credentials to the brokering website.

Although at first thought this would still requiring asking for some level of credentials from the user...

Facebook does the same thing. I refused.

Right, and once we remove the *stupid* option from the table (hey, I know, we'll just ask the user for their master password!), we're actually encouraged to find a better solution to the problem.

Such as...

- alternate lower-permission credentials
- making parts of your email identity completely public
- temporary time limited credentials
- "passes" or "keys" you can give out / grant

etcetera.

I'd be royally pissed if I ran into something like this. Then again, I've decided to ignore any attempts by social networking sites to enroll me to their ranks of page ad revenue cattle.

I don't know if you're aware of this, but your "number one with a bullet" has a number one, but not a bullet.

If you'll just let me have your email password I'll show you how to add a bullet to it as well.

Trying to sign up for twitter these days gives you the same stupid thing. Real turn-off.

This is known as the password anti-pattern. As of a few days ago, it is completely inexcusable - Google, Microsoft and Yahoo! all provide address book APIs which allow sites to request your permission to scrape your address book without needing to ask for your password. It will take a little while for sites like Yelp to move over to the new system but they need to treat it as a priority. The more shame thrown at sites that continue to follow the anti-pattern despite secure alternatives the better!

Simon, can you provide links to those Google / MSFT / Yahoo address book APIs?

I am frequently getting spam indirectly from people that have my emailadres and signed up for some stupid website which asks for acces to their address book. The website collects all the emailadresses and sens emails to all of them with content like:

"Hi, your friend : friendsemailadres@example.org signed up to win a super extreme fantastic 100000" inch HD television. He invites you to click HERE to join the competition"

Ofcourse the people didn't invite me, but just missed a superhidden opt-out option that allows this, when registering for those sites.

Really really frustrating stuff.

Flickr (a Yahoo property) was recently able to access my Gmail address book, presumably through the aforementioned APIs. Flickr sent me to a Google page, where I clicked a button to authorize one-time access, and Google sent me back to Flickr.

Jeff, Google is a helpful tool ;)

Anyways, hear hear! Yelp, Facebook etc etc should be ashamed for being so lazy in using OAuth to protect the privacy of their users.

The OAuth movement is very much needed:

not to mention, mayhaps your friends don't want their contact information given out just because you want to be a member :-/

Seeing that would make me queasy. I was unnerved when Feedburner wanted to integrate with my Google Accounts--Google even owns Feedburner, this I know, but still...

Factory Joe's blog has links to the Google, Microsoft, and Yahoo address book APIs, as well as a criticism and feature comparison to vcard:

http://feeds.feedburner.com/~r/factoryjoe/~3/305143626/

Jeff,

CAPTCHAs are an anti-pattern now too. Did you miss the memo?

They are only acceptable if they contribute to some "greater good" type of project.

BTW LinkedIn does this email thing as well, and I think they automatically parse your Outlook addresses if you use IE (or at least they used to).

Joe

Jeff - here are the links for you:

Google Contacts API: http://code.google.com/apis/contacts/
Yahoo! Contact API: http://developer.yahoo.com/addressbook/
Windows Live Contact API: http://msdn.microsoft.com/en-us/library/bb463989.aspx

I'm glad these malpractices are getting more attention, they deserve to get the bad wrap on their wrist for these kind of infringements of respecting users' data.

Most of the services need the credentials for accessing the address book.
It is time for sombody to develop a central address book that can be accessed seperately.

I really dislike that the social sites and applications are using brute force shotgun spam recruitment techniques, and effectively spoofing their spam by having you willingly 'certify' it.

It's evil on evil.

Couldn't agree more. I did this once, but only after I changed my password then changed it back 20 seconds later.

I find it interesting that you seem to keep the same hours I do (I'm also from california). Is your wife really OK with you blogging from 3-5AM?

Anyway, this is not a new FAIL by any means. I've seen similar forms on Facebook and LinkedIn, maybe a year ago, and I had the same reaction.

To be fair, though, you're also trusting Yahoo! or Hotmail or AOL or Gmail with your single point of failure. And if you use Thunderbird or Outlook or some other desktop e-mail client, you're also trusting it. And you're trusting Microsoft or Apple or some random *nix vendor. You're trusting a lot of people with your secrets already, and it's rather unavoidable.

Here's what I do. I never sign up for something with my personal e-mail address. I have some accounts on the side with completely unguessable names. A nice extra benefit of this is that none of the spam, "solicited" or otherwise, gets to my personal account.

I agree with all you said Jeff. I would add one more thing. Not all my contacts are personal friends. Many of them are business associates, clients, and vendors. There are even a few that I'm not all that fond of.

I would rather not get them involved. Especially if the end result is an email that invites them to join because their good buddy Bill has seen the light and offered their names and email. It's unprofessional.

Isn't it firstly a breach of the license agreement you accepted when you created your email account on those sites to give your password to a third party?

Secondly isn't Yelp breaching the license agreement for the API's they are using by asking other users to break their contracts and give away their passwords?

This has to be the sort misuse EULA's are supposed to ban.

I think it's becoming a de-facto standard (read un-stoppable 'evil') that any website who wants to drive the hassle away from the users and quickly gain access to potential users.

There should be a central service something like 'Contact Service' which stores your contacts for you and can import them from hotmail, yahoo, gmail etc or alternatively you can mark any contacts in hotmail, yahoo, gmail etc as 'shared' which are then available in this service which is accessible to all third-parties using your credentials.

Jeff, do you usually use the same password, or use a different one on each site? Because if you gave Yelp your email address upon registration, and used the same password on your account, you've effectively given them your email address and password without thinking about it.

I doubt that you would be so insecure as to use the same password for everything, but a majority of people do.

>Secondly isn't Yelp breaching the license agreement for the API's
>they are using by asking other users to break their contracts and
>give away their passwords?

Or they're just screen-scraping. There weren't even APIs for this thing a year ago.

Household alarm systems caught onto this years (decades?) ago. If you want your friend or neighbour to come in and collect your mail while you're away on vacation, you program a secondary code. They can use it to get in, but not to reprogram anything. Even the most naive and technology-averse folks (like my parents) know not to give out the master code.

This seems so totally simple to me. Just create a subdomain like public.gmail.com (although it all just redirects deep into google.com now anyway), let the primary account holder create "public" accounts and passwords, and direct all the traffic to a quaint little REST web service that can dump out the address book and maybe a few other things like Calendar or Photos.

Given the mind-boggling complexity of this task, I'm sure it would take Google engineers and developers no less than 12 minutes to bang out.

Even if there is a better way of providing address book information I'd hesitate to do so. How do I know they aren't building a spam list?

FAIL, is right.
I've seen other sites with a similar goal just give users instructions on how to export their address book from several common e-mail providers/clients (gmail, Y!, outlook, thunderbird, etc.).
Honestly, that seems like the only sane/reachable solution at this point...and it really isn't that difficult.

The online manager game www.hattrick.org was faced with this issue some time ago. The game has many supporting 3rd party applications which depend on access to game details.

To deal with this, the game introduced the "security code" feature. This is basically a second password, designed for this purpose, granting more restricted access. Although this isn't a magical catch all solution, I do think it might represent a possible approach for dealing with it.

It's even better when there's no pretense that they're just going to connect you with already yelping friends, but actually go and spam everyone in your list.
http://jivlain.wordpress.com/2007/04/30/hello-mr-website-would-you-like-my-password/

If I ever come across a screen like that, I exit out. I don't trust any site with that kind of information!

It infuriates me that I requested a lost password through 1and1.co.uk this week and they sent my old password to me, in plain text. I knew that I'd used it elsewhere, so I immediately went and changed a bulk load of passwords. If I - an amateur PHP developer - can include salting in my scripts, why can't the big guns?

I only give my password and bank account info to Nigerian royalty who ask for it.

"EPIC FAIL"? That's an understatement. It sets off every single security alarm bell I have. Just asked my mom whether she'd put her password in there and even she, being as computer-illiterate as mothers always seem to be, said she'd never even consider it. I guess I trained her well :)

Seriously, stuff like this is becoming the norm and not the exception. When signing my mother up for a PayPal account, the process asked me to give it the USERNAME AND PASSWORD to her online banking account.

W.T.F.

I'm going to trust a site with more holes than swiss cheese to log into her bank account to verify she has a bank account? Worse still, I'm going to TRUST that PayPal is going to get rid of that login information when they are done?

Giving your username and password out, BTW, is strictly verboten by her bank, my bank, your bank, and every other bank. I am not a lawyer, but I'm sure there's some kind of protection that I forfeit by giving out this information to PayPal.

I've got brass ones, but mine aren't THAT heavy.

~Sticky

I couldn't agree more with this post. Unfortunately, I think this has become so pervasive it's close to being acceptable. Facebook does it. Meebo does it. And all 3rd party IM tools do it (albeit most of those run from your desktop but still...)

I am with you 100% Jeff. But unfortunately we lost this battle. Sites are already using this practice like crazy. If fact, I would say you have to if you want to compete. Technical people may understand the horror of the situation, but the masses apparently do not.

I guess importing a csv file would be to complex. Google, Hotmail and Yahoo all let you export your contacts now.

Brinkster.com asks you for your username and password anytime you work with tech support to make any significant changes to your hosting plan (such as adding a new domain name). It's really, really annoying, but that's how they roll.

Making the address book public, at least temperarily would be a terrific way to go, but there seems to be a battle these days by each company to keep your data. I wouldn't hold your breath on this changing until some kind of class action lawsuit or something of that ilk comes through that forces companies to share YOUR information.

We're thankfully moving away with this sort of thing with various open social network platforms which mean you can use a common social network API to get people hooked up with their friends quickly rather than their email contact book. Think OpenID, but with contacts.

There still not quite there yet though, and it's worrying the damage may already start to have been done with respects to teaching users its okay to hand out your password though.

There is a demand. An api needs to be created to meet the demand securely.

Facebook's api allows you to give away your friends info w/o using a password. Privacy concerns aside, your password is safe.

If I saw to site Z, here are my friends emails, buzz them for me, the site should have the ability to do that, and only that.

I agree that this is a poor way of retrieving friend lists. A nice way to get around this is to keep a dummy e-mail with only your contacts in it. Then give the password for that account. However, that may be too much effort for a one time import.

I simply have one email account for communicating with friends/family and a different one where all the "sensitive" information gets delivered. Although it makes me queasy to do this, I think I have done it once (on LinkedIn). Past that point, I guess I have refrained from giving away my (insecure) password even though I don't have much to lose.

From the viewpoint of Yelp or LinkedIn or orkut, all they are trying to do is save you some time - which in and of itself is a noble cause. Is there a way for a platform like, say, OpenID to enable this functionality without compromising the security of your email account?

But all those email service icons make it look soooo real!

phhifff.

I think these sites should at least give me the option to supply an address book file that contains all of my contacts. That's all they really want anyway, right? I know this would probably be more than a lot of people would want or possibly be able to do, but for users like ourselves, I think this option would be a nice compromise.

Yelp asks for your Gmail password explicitly (and lets you skip the step), but nearly all online logins just ask for an email address (as a user ID) and a password. How many people do you think use a different password for those logins than that of their email?

I'm sure most readers of this blog use a different password when creating online logins, but my guess is the average user doesn't. Compared to this, the Yelp problem seems like a drop in the bucket.

Uh, no friggin' way.

Even if a site is well-meaning, sensitive databases are stolen somewhat regularly.

We should be teaching small children: "Never share your email address and password with anyone" along with "Never talk to strangers"

I don't know what to make of facebook. Early on I could type in email addresses and find friends that way. Since it was .edu addresses at that point. At the end of each academic year I backed up my address books and stored them on CDs. Later on when I wanted to see if someone was one facebook I would rifle through the ldifs and find their school address. Kept me in contact with a lot of old friends.

Now they've taken the basic email search away and replaced it with "give me access to your email accounts". 1) I feel really uncomfortable about this. 2) I think it's ridiculous they reduced the functionality in the first place.

Hello, Mr Website. Would you like my password?

http://jivlain.wordpress.com/2007/04/30/hello-mr-website-would-you-like-my-password/

I feel I should point out some of the work Angus Logan ( http://blogs.msdn.com/angus_logan/ ) has been doing in the way of creating awareness about the Windows Live Contacts API and really pushing for organisations to start adopting it.

This particular issue is one that really really frustrates me about far too many sites - these APIs (WL/Goog/Y!) are seriously easy to use, and increases the user's security immensely.

(To be clear, I'm not affiliated with MS or Angus in anyway - I just read his blog)

Jeff:

Thank you for posting this. Another problem with this is that it desensitizes people to giving out their password. Even if Yelp is reputable, it makes the practice seem legit, and people let their guard down making them easier targets for phishing.

I was asked to code this for a website a few months ago, and I refused. At the time, my clients didn't understand why it was such a big deal to collect email passwords from our users (or give out their own email passwords to anyone that asked).

Thank you - your article will provide even more weight to my arguments against this practise.

i like apples

:O

What I find much more disturbing is the conclusion - good, experienced developers know that it's NEVER ok to ask for your password like this, so in turn, that means that whoever worked on that idea in Yelp is unexperienced and clueless. Exactly the kind of people you would trust LAST with security (which is a really tricky thing).

@cp raises a good point... most users don't want to have to remember 20 passwords, and haven't heard of openID or similar services. so their email password, IS their online password for every site.

Personally, i'm not sure i'm happy giving away my addressbook to these services in the first place, nevermind my password. I receive emails from services my friends have joined which ask me to join. This is because my email has been given out as part of an addressbook, and this service discovered i'm not on it. You know, like telemarketers.

The whole addressbook thing is basically an easy free way of getting prospects. I'm a freelance web designer/developer... what if i asked all of my clients for their addressbooks? Pretty sure they would refuse, doesn't matter if i say "But i'm just checking to see how many of your friends I've built websites for... really... I'm doing this for your benefit."

I would much rather provide a good service, and be referred. You know, the old fashioned way: the way with integrity.

While asking for email passwords is definitely a failure on the part of websites like Yelp, I wonder if Google, MSN, Yahoo, and other email providers are being clear enough when they warn people:

"and you should not share your account name or password with anyone."
and
"If you are sharing a computer with anyone you should always choose to log out before leaving a site or service to protect access to your information from subsequent users."

I know people who may not associate typing an email address and password into a form with "sharing it with others" or "giving it away". They didn't tell that information to another person. All they're doing is filling out a registration form. And to understand what the website is going to do with it, they have to read some long privacy policy somewhere else on the website.

People are already used to typing email addresses into web forms (the point of an email address is to give it to others), and every site you go to asks you to enter a password to create an account. And for people who use the same password for everything, they may not even realize the difference.

There will continue to be untrustworthy websites who ask for this information. We need to discourage the type of behavior from trustworthy sites, but we really need to limit the need to enter private information, such as passwords, on a regular basis. Of course, that creates challenges with authentication. Maybe OpenID can help with this.

I had a website up for a while, and to sign up, I had a form that asked for email address, email password, credit card number, ATM passcode, Swiss bank account number, birth date, blood type, social security number, retinal scan, and then on the bottom had a check box that said "I agree with the terms of service for this site even though it might result in involuntary servitude."

Of course, the form was a joke, in fact, you couldn't even enter most of this information or click on the check box. But, I always wonder how many people would have filled in this form just because I asked.

loved the FAIL. You should submit it to failblog.org, just to see how many people get it.

Ethical concerns aside, they shouldn't need a radio button to choose which service to use. It should know whether you used GMail, Yahoo or Live/MSN/Hotmail just from the domain of the address.

Amen, and thanks, Jeff. Huge red flags should go up anytime you're asked for this type of info. LinkedIn was the first place I remember seeing this. In this privacy-conscious (yeah, right) world, if you insist on giving some unknown bunch of knuckleheads a list of everyone you email, an exported address book should not be too onerous to use.

(Only Google should have our email and passwords. And search history. And chats. And shopping history. And credit card info. And documents. And contact lists. And stock portfolios. And spreadsheets. And calendars. And notes and photos and videos. And cellular and GPS track data. And medical history. I mean, we can trust them, right? /sarcasm)

I'm actually more surprised by the first two form fields. Isn't it redundant (not to mention lazy) to ask for your email provider, and then also ask for your e-mail address?

If I tell you my email address is scott@gmail.com (which its not), the website should be smart enough to see @gmail.com, and think... oh, he's using Gmail! Same with yahoo, etc. Its not difficult and I'm really thinking that this, along with your original problem of asking for login details is just stupid ignorance.

Which is incredibly dangerous if you're going to be handling email passwords.

No thanks, I'll pass!

Yeah, I would never have the bad manners either to spam my friends with unsolicited offers. I actually like Yelp - it was helpful when I moved recently. In general, however, I *loathe* "social networking". I'm not twelve years old. I go there to read and write a couple reviews - not to hook up.

A web game I played for a very long time had for like four years "You agree to sell your first born son into slavery for no less than USD $100" in their registration form. Tens of thousands of users didn't seem to mind, in fact, it was only brought up on the forums like two years after it was added.

Yelp are unfortunately not the only ones who come up with that nonsense. Linkedin also allows you to import your stuff from GMail.

I wonder if companies like Yahoo or Google have a legal approach that would allow them to force such sites to drop that nonsense as it violates their TOU or something, but then again, they might believe that it might be better for their business if their customer can just conveniently bring their data into the site. I think that they may fear "Oh no, our customers will think 'why can I import from Google but not from Yahoo? Is GMail better than Yahoo Mail?'" or whatever.

What makes me wonder: This problem is not new, so why did the smart guys at Yahoo or Google (who usually always have 5 different solutions to every problem) not offer some sort of "external" API yet? as in "Here is a second password that only allows access to the adress book for sites like this"?

It is truly insane for a web site claiming to be legitimate to ask for such a password. Are they kidding? How did this survive even 30 seconds of thought or discussion in product management or development at Yelp.

"I know, we'll have this cool feature where we find others in Yelp based on their GMail contacts."

"How will we know their contacts?"

"We'll just get their password and log in as them, no problem."

(What happened next)
"Great idea. Let's do it."

(What should have happened)
"That is the dumbest thing anyone has ever suggested. That is so dangerous and stupid we should probably fire you on the spot for even imagining that could fly. We will absolutely never want to get someone's password for another account of theirs. End of discussion."

why point out yelp when you can flip the finger at facebook. they do the exact same thing. come to think about it, probably 80% of "social networking" sites do it.

this is why i'm anti-social

Well really it's only a matter of time before Microsoft and Google own everything, and then they'll all know your password anyways, right? :)

I want to mention an experience like this I had recently which was actually good (<shock/> <horror/>). If you use LinkedIn with Yahoo Mail (I think only with Yahoo), they will take you to Yahoo's site to log in and there is a message explaining that you are giving them limited time access to certain information. It's clear what's happening and how it is limited. You log in to Yahoo only on Yahoo's site. Personally, I found this ok as opposed to the horrifying examples like the one above (Twitter is equally bad).

Jeff, you really need to forward this to your local news channels. They usually do stories at the other end of this: "Well, the web site asked for my password so I gave it to them. Now I can't log into any of my bank, investment, mortgage, car loan, etc. web sites and Visa just called to see if I was buying something in Hong Kong."

I'm going to forward this to my local news and see what they do.

"Tonight, on Larry King Live, Jeff Atwood discusses the dangers of giving out your email password...."

In Yelp's defense - the "Skip this step" is right there. So perhaps they should re-word this like "If you want to enhance your experience but risk losing the password to your bank account"

Facebook does this too, and while it's absolutely absurd to a technology enthusiast such as yourself, you'd be surprised how many _veteran_ (but casual) internet users are willing to give out their email account information to a "trusted" website. I think the website creates an image of the company running it that prevents the users from realizing that all that was created by people just like themselves, albeit more knowledgeable about technology.

That said, about the "email address book sharing" you want, CSV files should be standardized for this use. Facebook, Yelp and other sites like them should allow for the uploading of CSV files with a list of contacts. Additionally, there should be a standard by which you can give your email address and an "address book password", which allows the website to retrieve your email address book without having complete access to your account.

Facebook also asked for my "live messenger" id, and I accepted.

But I changed that password before and after I let the site check my friends :)

It's a very bad practice, but how so convenient to add contacts to a social website...

Forget Yelp, IMHO Facebook is the big brother in this respect. Absolutely shocking.

Perhaps, web2.5 sites should implement something like a payment gateway system, wherein I am redirected to the source sites page, do my authentication theere and a one-time authorization of what info I want to share.
If we can do it for payment, it should happen.
That way we can have a track of what info we shared, much less, there's no need to share out passwords

"Well really it's only a matter of time before Microsoft and Google own everything, and then they'll all know your password anyways, right? :)"

--

Interesting point. I once created a "Yahoo Answers" account, just to see what the fuss was about.

When I created a Flickr account, it too, was a member of the yahoo network, so I used the same login.

Now I wish I didn't. My pictures are linked to the topics I'm interested in. :(

Wouldn't it be cool if, instead of your email credentials, Yelp (or any site like it) could use your Facebook/MySpace/MySocialNetworkingSiteOfChoice credentials to find your friends? I know for a fact I don't keep my financial info stored on my Facebook profile, and I message more friends through social networking sites than I do through email anyway.

Agreed, and Twitter tried the same thing. Only an utterly retarded individual would even consider doing such a thing. What we need is a standard format for address book exporting (using XML or JSON). Then we can upload that to Yelp, or whatever, if we decide we want to. It's a really simple concept.

the better solution is to have a textarea where the user simply adds their contacts (aka "friends") via a comma separated list.

the user then has the option to include a message. yes that means people need to know all their "friends" email addresses but if you put those two options in a user testing scenario I bet the textarea vs the plaxo/yelp type import solution would have a much higher success ratio.

Email services might do well to allow a "valet password" just like a car's valet key that would only allow access to validating the email accounts existence and grabbing its contacts.

I use a Yahoo! Email Notification plug-in for Firefox. It needs the email password to check periodically for new messages.

How do you feel about giving your email password to this program? Is it the same situation?

I've been thinking about this one for a while...

what I'd like to see is a web service brokerage protocol like how with OpenID you can allow/disallow services.

I tell yelp my gmail account name.

It's sends a REST request to Gmail to be a valid service.

In Gmail I see Yelps request and click "yes, but address book only"

From Gmail I can deauthorize Yelp at any time.

Facebook tried to pull the same thing on me. I'm somewhat surprised that it is still legal for them to do so.

I know i shouldn't, but i can't help to find this extremely comical! "Asking for the e-mail password is like asking for the keys to my home"! I couldn't agree more. And besides, there is always 4. How do i know that their site has not been compromised and, despite they not being storing my password, it is being sent unawarely to somewhere else?

These mail services need to support OAuth to provide authorization tokens.

I'm actually working on a client site now, and they need CSV document import for contacts, and I want to upsell import features - however it will use the new API's, and only be in AFTER the user has signed up and goes into their contacts page.

What some people seemed to have not noticed is that both Hotmail, Gmail and most other desktop clients allow you to export your contact list to a file. Now I don't know about most social sites, but Facebook allows you to upload a file from many different applications in order to search for contacts. The problem? It's not their primary option. Also, for most webmail applications the options to import/export contacts are not obvious, you have to want to find them in order to find them.

At the root of the problem is that the least secure option is provided as the default option. While it would be easy enough for a developer to change this, this would provide a greater learning for the end user and most people don't want use things that are hard to use.

Not suggesting this is a solution to the overall problem, but I'm hearing a lot of "OMG, they're going to store my password on an unsecured database somewhere and it will be hacked by the Russian mob and my identity will be stolen" sorts of fears. Technically, a way around this that I'm sure is commonly used is to store an encrypted version of the password in a cookie, and store only the key in a database. I think the odds of someone gaining access to both the database and your computer's hard drive are fairly low. Perhaps I am not paranoid enough, but personally, if a legitimate site explained to me that they were not actually storing my email and password anywhere on their servers, I would consider providing the information.

In addition to you, Fred, Google Bookmarks anyone?!

> why can't I grant them temporary access to my public email address book without giving out the keys to my email kingdom?

As am sure others have mentioned by now, you can using Contacts Data APIs (http://code.google.com/apis/contacts/)

The other option (tho it requires more work on the users end) is to offer an upload facility where members can upload their exported contacts list. Then have a parser to handle the most common formats like gmail's CSV.

But what we really need is an uptake on OAuth
"OAuth allows the user to grant access to their private resources on one site (the Service Provider), to another site (called Consumer). OAuth is about giving access to your information without sharing all of your identity."
http://en.wikipedia.org/wiki/OAuth

And what do you want to bet that these schemes were thought of by some little sociopath a**hole with a freshly minted MBA and a strong tendency to magical thinking?

Hey Jeff,

You can read more about this anti-pattern here: http://adactio.com/journal/1357

The article references oAuth (http://oauth.net/) as one technical solution to the problem--essentially getting temporary permission from users to view their address book via APIs. Users would only enter their password on the providers site.

Here's more information about how the Google and Yahoo APIs work:
http://developer.yahoo.com/auth/user.html
http://code.google.com/apis/accounts/docs/AuthForWebApps.html

Cheers,
Tom

Good catch Jeff. Great analogy too (keys to house for address book).

I did an informal survey not long ago asking people if they used the same password everywhere. A significant minority did.

Someone made the comment about IM clients asking for email/password. For some reason I don't have a problem with putting my details into Adium, or Pidgin, or even a web service like Meebo. Yet when Facebook asked me for the same details when signing up for an account I stopped short. Why?

I think the problem isn't so much that a site might want you to enter your user/pass per se, but whether it is an appropriate context for it to ask you. A complementary issue is that individual services, such as maintaining a set of contacts for you or an IM account, aren't sufficiently decoupled from the email accounts they pertain to. If you had a separate user/pass for the particular service you were accessing, you wouldn't mind so much when prompted for those. I applaud the use of OAuth to combat the password anti-pattern (and decry the essentially spammy practice by Facebook, Yelp etc of doing it in the first place), but there are occasions, even with the advent of these good new conventions, when most people will still give their credentials to third-party sites. Should Meebo implement OAuth rather than ask for my Gmail account details so I can use Google Talk? Where do we draw the line?

Secret passwords should never be given out to anyone. All you are doing is lowering the guard of unsuspecting Users and making it acceptable to hand these passwords out when asked.

Isn't this a solved problem? When I switched from Yahoo email to Gmail, I just clicked to export my Yahoo contacts as a CSV file, then uploaded the file to Gmail. Both email providers made this easy for me.

Any reason why I can't do the same for a social site? They could include easy-to-follow instructions...

@J Liles >"Not suggesting this is a solution to the overall problem, but I'm hearing a lot of "OMG, they're going to store my password on an unsecured database somewhere and it will be hacked by the Russian mob and my identity will be stolen" sorts of fears. <snip> Perhaps I am not paranoid enough, but personally, if a legitimate site explained to me that they were not actually storing my email and password anywhere on their servers, I would consider providing the information."

I'm just wonder what constitutes a "legimate site".

While I'm concerned about the "Russian mob" and all other "mobs" looking to get my info, I'm far more concerned about "Bob the employee" getting it since it is considerably easier to get at something inside the house if I'm inside the house than if I have to break in the house.

Anytime a website starts asking me for info, I'm concerned. Obviously there has to be some level of trust on the part of the information provider. But sometimes I suspect they ask me for info because it is convenient and useful for THEM not so my personal experience will be better. I'm not paranoid, but I do question the motivation of some sites.

So why do you trust that "treasure trove of highly sensitive financial and personal information" of yours to Google? How much do you really know about how carefully Google guards your personal data, or how many of its employees have access to it? Why is it safer to trust Google with access to this information than Facebook, for example?

Paranoia will destroy-ya.

I'm surprised there's only a handful of posts that point to OAuth, so I'll make another shout-out:

http://oauth.net/

Doing it right has been done, it just needs uptake.

OAuth is largely based on the Flickr model, assuming you've used it before.

That said, yes, this is kind of terrible. What's worse, though? The fact they ask or the complacency involved in the users?

Great post. Not only is it a bad idea to give out your e-mail password to just any site, but its also a bad idea to use your e-mail password as your login password on a new site when your username on that site will be your e-mail address. The next logical step for anyone who gains access to that database is to guess that your password for their site is also your e-mail password (as I blogged about, similar to your post here - http://bryanhales.com/archive/2008/04/11/an-easy-way-to-have-your-identity-stolen.aspx)

amen. so many projects i've worked on recently list this as a necessary feature. i try to convince them that it's a bad idea but i rarely win the argument. i'm told it's a necessary feature since everyone else does it.
FAIL

Imma head outside now and tell people, YOU MIGHT HAVE FRIENDS WITH THE SAME BANK ACCOUNT BALANCE AS YOU! GIVE ME YOUR CARD AND PIN FOR 10 MINUTES AND ILL CHECK TO SEE WHO DOES!

See how long it takes me to get arrested.

The Yelp-ers are ex-PayPal-ers, and they will remember exactly the difficulty PayPal had in their pre-part-of-eBay years getting users to supply their eBay signon information. PayPal was able to do a great many useful things for people if they could sign on to eBay on their users behalf - monitor auctions, send invoices automatically, provide statements with details, etc - but there was a security risk involved.

However signing on to someone's eBay account isn't as dramatic as signing on to someone's email account. If I log in as you into eBay, about the worst thing I can do is screw up your eBay reputation (that is not nothing, but it isn't that bad). However if I log in as you into your email account, I can learn all sorts of things about you, personal and business, and probably recover a whole bunch of your passwords to other sites. I agree I would never do this.

I don't see the problem.

1) Just click "skip this step".

2) According to the screen then don't keep your email credentials. They likely do a one-time lookup and then cross reference to people in your address book. Then they throw away the credentials info. Sure, you have to trust that they are telling the truth. But why would they lie about it?

Typical mountain out of a molehill.

There is something you can do. I work in an environment where sharing your credentials isn't only a bad idea, but its a crime. However there are other government site that still ask for your credentials to verify this or that thing. In the event this happens and I can't avoid it, I hand over the credentials and promptly change my password.

The same rule can be applied to yelp and its ilk. If you are REALLY attached to your password, you can change it first, hand it over, then change it back.

Not ideal and you are right, its bad form to ask for full credentials, but there is a way around the individual security flaw.

However as you said, this practice is training users to hand over the keys and think its normal and ok.

On ETrade recently, I wanted to do an automated transfer from my bank account to my ETrade account (I think to get my IRA contribution in before the deadline, of which direct mailing would have taken too long and gone past that deadline). However, the way it works in ETrade is for you to give them your user/pass for your online banking account, PLUS all of the responses to those extra security questions, like your Mother's maiden name! When I saw that I was convinced I was at a phishing version of ETrade, but nope, I was at the real deal.

Please see my followup, titled Customers trust you, even if you don't deserve it:

http://www.ytechie.com/2008/06/customers-trust-you-even-if-you-dont-deserve-it.html

"Only slightly less well known," and not nearly as sinister, but still a potential breach of security at most and bad netiquette at least is all those grapevine emails that contain dozens of email addresses from people who have 2 or more degrees of separation. I wouldn't expect anyone's grandmother to know how to edit that stuff out, but where are the email settings that at least hide and best remove all those headers? Better yet, how about "Use BCC when I forward to this group"?

You're so right, in my opinion you have to be pretty dumb or really new to the internet in order to provide such a valiable resource to some lame ass site you found 5 minites ago.

It's the same thing with viruses, they ask you to click and people like morons actually do click. Remember the "I love you virus"?! Oh, someone loves me, I will open the pandora box now.

P.S: Jeff, just got the stickers, amazing quality. Where do you have them made?

> Even if there is a better way of providing address book information I'd hesitate to do so. How do I know they aren't building a spam list?

Do what FOAF does and hash the mail addresses. They you can be linked automatically to anyone you know who already is on the network, but emailing other people about the network is up to the customer, as it should be.

I'm starting to see this alot as well. The worst i saw was a "Centralized one stop banking" or something where, by providing your login credentials to your other bank accounts, you'd be able to manage them all in one place.

That's going a little too far.

Even though its been said already I'm throwing in a vote for OAuth. The spec is simple and most of it is based on HTTP best practices. Here is a link directly to the 1.0 spec:

http://oauth.net/core/1.0/

OAuth is also being used by OpenSocial which is a good sign of its uptake: http://blog.oauth.net/2007/11/07/oauth-and-opensocial/

I currently developed an OAuth server and it only took me a couple of days (with the help of the ruby oauth gem) but most of that time was spent getting it working with Merb.

Jeff - If you think Yelp is bad, consider Mint.com, a site that asks you for the usernames and passwords for your online Bank, Brokerage, Mortgage, and other financial accounts.

I signed up with them cautiously - mostly as an experiment - and gave them the credentials of two non-significant accounts.

Then, without my explicit authorization, they sent me a "Weekly Summary" of my account balances into my e-mail inbox. Breach #1. My thought - how can I trust these guys. Here's what ensued - taken from my e-mail to them:

"First you sent me a weekly summary by default. How dare you - what gives you the right?

I felt this was a major breach of security for me because my financial status was sent over plain email. Yikes - I thought to myself - I can't trust these guys with my sensitive data - maybe I should cancel..

Instead, I give you the benefit of the doubt and I turned off the weekly update by logging into my account and editing the settings.

And now, exactly 1 week later, you sent the weekly summary AGAIN. Maybe you've got a bug, in which case your systems aren't properly tested, or perhaps your UI was unclear, in which case you should have invested more time finding usability issues. In any case - shame on you guys for being so careless with my very personal info.

You've confirmed my worst fears about your service (I really hesitated giving you all my usernames and passwords), and you've made me wonder "what's under the hood?"

I will be canceling my account asap.

And [in replying to your original e-mail] I'm guessing whoever does customer service can scroll down and see my financial summary too....

Why is this ok?"

What, me worry??

I thought you were all about web 2.0... no? hahaha! Not going to swallow the "people have no reasonable expectation of privacy today so i'll just throw it away anyways" argument?

=)

Why not just use a standard address book import/export file?

@Jeff somewhere above: "Skip this step" is a fricking text link, not a button. Which one is the average user more likely to click on? Did they get that little trick from GoDaddy.com or something?

This reminds me of how credit currently works. If you want credit you give out your social security number.

Sites like Gmail deserve some of the blame here. They don't give you a way to walk your data out the front door and give it to someone. This forces sites like Yelp and Facebook to ask for the keys to your house.

Gmail/Yahoo/MSN/AIM and Banks are the only parties that can fix this. Or we can simply stop using those services (good luck to you on that!).

ACAP (RFC 2244) access to address book information could make all (or part) of your address book available to whomever you wanted. If only email clients supported ACAP...or if there were more server implementations...

Of course, even allowing a small portion of your address book to be shared could present spammers with a gold mine for new addresses if not done very carefully.

Jeff, nice post - indeed, this is ridiculous.

Regarding Facebook and LinkedIn, I really don't see where this pattern is in use. Maybe I don't use these sites to the extent so that I see this pattern... what I do notice is that it requires an email address as a *username*, but not necessarily your specific *email* password; obviously it should be different.

Linkedin does this also and it sucks. Because now every time I login and get presented with people who are on linkedin but I did not want to extend a inmail connection to. Basically, people who I hate or do not wish to connect with. But NOOO! Every time I log in I need to know that my ex-ding-a-link-boss is on linkedin. I wish there was a way to turn it off.

Of course, we all know Jeff's email password is "orange".

I've seen those options at Xing or Linkedin instead of Yelp. I'm not sure about the risk of using it...

Asking the user to go to Live, log in, get their API key and give it to you is unfortunately asking for the user to do too much.

You have to realize that the majority of users are Lazy fricken people that have no clue how to figure out getting their API key from Live. Even if you provide step by step instructions... it's too much. You made them Think, so they move on.

A new "social networking for babies site", totspot.com, went live today and their home page has exactly the same feature as well.

Given that I don't really need the site, and given that the demonstrated lack of concern for security, I've asked for my account to be removed (although I have NOT provided them with an address).

Here is an idea. Just an idea. Do not keep sensitive personal information in your web mail inbox. The argument which goes like "Sure, Yelp means well but how do I know they won't misuse my personal information" can be extended to Gmail, Yahoo, Hotmail or any other web-based service which requires a surrender of personal privacy as a price for "free" service.

I use gmail extensively but never keep anything sensitive in my inbox.

It is beyond me that Gmail, Facebook and others have convinced the masses that we live in oh-so-fuzzy-and-friendly world of online love and interconnectedness, which is primarily used to stuff our throats with useless advertising. I know, advertisers and google board members have to eat too.

I agree this is a big problem. But I also think there is the obvious, if you are lazy and want them to pull your contacts anyways. Just change your password before using the service. Then change it back afterwards.

I'm surprised I haven't seen this comment (or I missed it in scanning) -

In addition to the FAIL reaction, my first instinct on any form with important information is to look for the https session...the forms I've seen don't have it. So, not only are you trusting the site, but also the network.

The lack of https on a form with username and password upgraded the FAIL to EPIC FAIL for me.

If your email account is at gmail, google has your password.

A simple alternative is to have a secondary email account that has just "shareable" contacts. Granted, this is more than a user should have to do (I'm a fan of simply uploading .csv files) but it has the advantage that it will work for pretty much any of the existing sites that do this type of thing.

Now a lot of folk in here are developers, so you guys will disagree, however, I think y'all are making too much out of this issue.

1. On the average day, I log into 25+ sites/programs/gateways, etc. So are we really saying I should use 25+ passwords? I know the premise behind the "don't use one password" rule, but it isn't very practical is it?

2. Again, we're talking about "social" sites here. If you guys don't have a social email separate from a business email, then that's the problem right there.

3. It takes 7 seconds to log into Gmail and change a password. So, to go forward then back, that's a whopping 14 seconds.

I agree it's a big problem, but there is a bit of common sense that goes into these things. With everything involving a third party, there is going to be a level of risk associate. How many people live in apartments, where maintenance can move in and out? It's accepted risk.

There are paranoid folks that don't show their ID when making a credit card purchase; there are folks that don't use credit cards; there are folks living in caves. Does that mean, we all should, no?

The majority of people are gonna get hooked when they try to "log in" to PayPal at http://203.999.999.999/paypal/.

And to close, why trust anybody? The majority of things I sign up for come through my Gmail address. And we know a lot of sites initially sent usernames and passwords. Gmail can "read" your email to do context-sensitive ads, so who's to say what else they do? What does the "delete" button really do?

I say stop being OVERLY (keyword) paranoid here and just exercise a lil' bit of common sense. And BTW, yes I use Mint and give them all the passwords to all my online banking accounts.

Couldn't agree more. I did a (somewhat unscientific) study of this practice a while back (http://www.bitcurrent.com/?p=14); even those who claimed to have cleaned up their acts (the big social guys) were doing it.

It was interesting to see that on top of this practice, many of those sites weren't using SSL encryption retrieve the password (which the original messaging site did) so you were sending a Gmail password in plaintext despite Google's best efforts.

There are technical problems with this too. Look at Notchup (which peaked and tanked really fast) -- their model had people repeatedly getting invites because they weren't willing to de-duplicate sending.

I wrote this exact same rant in March!

"We promise we won't store your password"
http://isisblogs.poly.edu/2008/03/30/we-promise-we-wont-store-your-password/

Yes, I find it rather poor that sites request this info. Both the LinkedIn.com and Plurk.com websites do this same thing to automatically pull in your friendslist. I never do it either.

I forgot to ask:

What's all this ranting and raving about the ContacT APIs? Didn't Google just release their's in March 08?

Commonsense trumps technology every time. No matter what sort of technological breakthroughs we make, dumb people (like myself, some would argue because I use Mint) are going to do dumb things.

@Baz, I think you trust people too much. Being a little paranoid makes you ask the sorts of questions that Jeff is trying to get across to you.

- Nobody gets my (g)mail password.
- Yes, I have different & strong passwords for every site that I care about. (i use keepass, so it's easy)
- Yes I have different email addresses (although that's almost more pain than it's worth, more an accident of history and keeping old ones open)
- For the rest of the websites I could care less about the password is usually something along the lines of 'thiswebsiteisrubbish' so it's real easy to remember.
- Using the temporaryinbox.com (which is probably a big scam too) works for those things that force you to give an email, because I don't even like giving my email out, let alone my password. Good for a one-off looksie though.

I don't use credit cards, and I don't even like using direct debit, etc. I prefer to pay cash and not be tracked too much. It's not that I'm inherently paranoid, but keeping the s/n ratio in your favor is better.

Online identity is pretty much linked to the email addresses you use. To me, it often feels like I'm having to show my passport and drivers license and fill in a marketing survey just to walk into Starbucks, let alone buy anything. Sorry no dice. But hey, I'm glad there are people like you out there, because nobody's gonna notice me when there's an easy mark.

PS to others: avoiding spam is impossible, unless you have no friends, because there's always one person who pisses in the pool.

I blame Facebook, I believe they were one of the first to scrape your email account for contacts, and after that, every dumbass incompetent programmer with a half-baked social networking site thought it was A-OK, and their users happily complied.

Dare Obasanjo describes the right way to do this, and what Google, Microsoft and others are adopting - delegated authority - the user approves the application's request for some data (such as Contacts) without sharing any credentials with the piece of shit application that requested it.

http://www.25hoursaday.com/weblog/CommentView.aspx?guid=155b2f03-ce7b-458b-bb7a-2a0a6c862a8c

Seriously, I hate programmers who do this kind of crap, I hope they all lose their jobs.

I agree. I NEVER use these tools for exactly that reason... even if I think you'll be a good citizen about it.

Can we just please start using openauth already? Sheesh.

Great post. I happily provided a bunch of companies with my e-mail and password information before it dawned on me that this was a very dumb move. I quickly changed by e-mail password and learned an important lesson.

Mark

And personnally, I don't like it when my friends sign up for this things and then these things start sending me email.

Hey Jeff, I hope after this post (and the response) you consider writing about OAuth and our soon-to-be-released Portable Contacts API project, which directly addresses this issue.

It's a problem that *has* been worked on for some time and we are on the verge of "solving it", so thanks for bringing some much needed attention to the current depth of the problem! Here are some posts that might be of some interest:

http://adactio.com/journal/1357
http://adactio.com/journal/1408/
http://microformats.org/wiki/social-network-anti-patterns
http://www.37signals.com/svn/posts/597-screens-around-town-facebook-virgin-america-time-etc
http://code.google.com/apis/socialgraph/
http://www.flickr.com/search/?q=password%20anti-pattern&w=all&s=int
http://factoryjoe.com/blog/2008/06/04/inventing-contact-schemas-for-fun-and-profit-ugh/

quote:

------
Seriously, stuff like this is becoming the norm and not the exception. When signing my mother up for a PayPal account, the process asked me to give it the USERNAME AND PASSWORD to her online banking account.

W.T.F.
------

The Real WTF (tm) is that her online banking account has a username and password at all.

I'm guessing you're in America, where (I gather) this is (inexplicably) standard practice for online banking?

Over here (the UK - but I gather everywhere in the EU is similar), you get a customer ID number, a PIN, and a passphrase. Logging into your account at all requires you not to enter these, but to enter a randomly changing subset of them. (Eg, "enter the third digit of your PIN. enter the seventh character of your password.")

Thus, (1) the user is TRAINED to NEVER, EVER enter their full details anywhere, not even on the bank's site itself, and (2) I suppose this provides some protection against keyloggers. (The keylogger would need to record perhaps dozens of login attempts before having a record of every character, and even then it would need to also screen-scrape and parse the "third", "eleventh" parts of the corresponding form labels in order to piece it together in the right order.)

After all that, if you actually want to do anything particularly meaningful, you need to use a little USB challenge and response / one time pad type of gadget, which they provide individually to every account holder.

Banking based on a username + password is basically unforgivable full-stop, never mind third party services asking for the username + password.

I've used the contacts import from Facebook, but like a couple of other people here I changed my password before and after the process.

The difficulty is that it's so damn convenient to be able to give this one little bit of information and have all the people you know added in one hit.

It's a problem that really should be addressed. If there's a contacts API available that does the job without compromising security (and it appears there is) then that's perfect - but why isn't it being used?

openID and Dataportability ( http://dataportability.org )

give the 'export CSV' a button and a catchy name for gmail and M$oft + Y! to show prominently.

As [ICR][1] pointed out, the OpenSocial framework, as of version 0.8, includes a RESTful API that can be used to fetch friends directly. It's still not quite the portability that Chris Messina and the chi.mp folks are talking about, but it's a step in the right direction.

Sadly, this "get your password and screen scrape" is the current state of the art. It sucks.

[1] http://www.codinghorror.com/mtype/mt-comments-renamed.cgi?__mode=red&id=57505

As an aside, it strikes me as typical of Microsoft to use such user-unfriendly URLs:
Google Contacts API: http://code.google.com/apis/contacts/
Yahoo! Contact API: http://developer.yahoo.com/addressbook/
Windows Live Contact API: http://msdn.microsoft.com/en-us/library/bb463989.aspx

When I encounter this type of thing and I would like it to scan my address book, I temporarily change my email password to something else... Register with the site... and then change it back to what it was originally. So even if someone tried to use the password given to (Yelp in this case) it would not be the current one to access my email.

Simple. (A hassle, but simple enough to work around.)

I agree 100%. It is a terrible practice.

I'm not sure it would be too practical for MS to give user-friendly URLs for every API in the MSDN library. They do have quite a bit more to index there than Google or Yahoo.

@Derek, the changing your password deal will work to an extent, assuming it's sites that you trust in the first place. The problem is that the whole thing encourages people to trust websites with their email accounts. If you trust the wrong site they can automatically go in and change your password, date of birth, zip code, security question, etc. so that you're locked out of your own account before you have a chance to change it back yourself. Then they have free reign to whatever is saved in your email, whatever services you used that email to sign up for, and to spam all of your friends from your account. And if you're using a free email account like Yahoo the chances of you recovering it are slim.

Even if they don't lock you out, they're still likely to have plenty of time to scrape a lot of data from your saved emails before you can change it again.

Personally I would never give any site access to my address book anyway, password or no password, for the simple fact that I respect the privacy of the people in my address book. If I want to know if my friends are on a particular service, I'll ask them.

Best Regards,
Gerald

FriendFeed has already figured this out with their remote key feature, which allows 3rd party software access using a completely separate key. It would be nice to see this kind of feature in Gmail, Yahoo! Mail, and MSN/Live/Hotmail/whatever-the-hell-it-is-now-I-lost-track.

http://friendfeed.com/api/faq#remotekey

@Tim, it is in "Gmail, Yahoo! Mail, and MSN/Live/Hotmail/whatever-the-hell-it-is-now-I-lost-track"

They (the big guys) all have contact API's, you just have to read some of the comments or become informed before coming to your conclusion.

I'm amazed Jeff wasn't aware of all th efforts being made in this area. Great discussion otherwise. I guess I didn't realize how many people aren't aware...OpenID, OAUTH, and Data Portability are pushing almost all large sites to adopt similar methods. Too bad they are choosing slightly different methods.

Even facebook has 'facebook connect'
and myspace has 'data availability'
(do a google search)

Nobody in OpenID (seems to have the most penetration; maybe Vidoop will do it?) is offering granular data access configuration abilities, this is sorely missing. Credentica. recently acquired by M$ has the best solution, IMO.

I have a question regarding this quote:

"As a software developer, you should never ask a user for their email credentials."

Software developers typically don't have much of a say as to what they are developing - that's decided by the client.

So my question is... what legitimate steps could a software developer take if they find this practice absolutely repugnant (as I do), yet still have instructions requiring them to implement it from higher up?

From what I can see, the developer basically does what he's told or quits / is fired. Quitting may not be financially expedient in your current circumstances, and getting fired won't be good at all.

I'd just like some ideas on what WE, as software developers, can do to combat this evil, insidious practice.

With tech support asking for passwords I have a simple solution. I give them the first 10 or so characters. If they can see my password on their screen it's all good, but if they need it to log in to my account... we have to escalate to someone who has authority to vary the terms and conditions. Specifically to add the bit "not disclose... except to tech support staff". Usually once they see that they become more reasonable. Possibly because in Australia we don't grant local monopolies anywhere near as often as the US does, so tech support people are aware that I can just cancel the account.

As far as spambook and similar sites wanting my gmail details... I have a gmail account specially for them. Ditto crapspace, youtube etc etc. Some sites just plain will not let you even see content without disclosing that sort of nonsense (spambook and crapspace not least amongst them).

Finally, someone says it - this ought to actually be shouted from roof-tops.

Ok, yeah, so that is awful... but
> As a software developer, you should never ask a user for their email credentials.

What if you're creating a mail client? So, what's a mail client? How do you define this?

By virtue of accessing the user's email a piece of software becomes a mail client, and, as such, it becomes reasonable to ask for email credentials.

I agree with the POV in this instance, but, as software developers a more important lesson is to not take any principle as an absolute.

Someone mentioned Adium (instant messaging client). Of course it's OK to enter all your accounts into Adium. The developers of Adium don't see your passwords. AOL doesn't see your MSN password. Google doesn't see your Yahoo password. Etcetera. They are stored encrypted on your hard drive and only given out to the originating services.

It's crazy how important your email address is when you stop to think about it. I never like those forms either. You hear stories in the news all the time about 'lost laptops' containing 'thousands of users information' and such. The last thing I need is someone getting into my email and gaining access to all my information.

Excellent article. Well done.

Totally agree with you. I am a total security paranoid and I never understood why people would share there info this easy. People who dont live on the internet will start to think its normal to enter your details on any website.

To those who ask: "I need to give my email-password to thunderbird, isn' t that evil, too, is it?"

I think one needs to distinguish two types of trust (or insecurity):
The necessary insecurity and the unnecessary.
It is necessary to trust the email client enough to give him your password, because it would be impossible for the email-client to get your emails without your password. (I do not distinguish entering the password once and storing it and entering it everytime, as I can steal it in both cases if I want).
Furthermore, I think that getting your emails manually and passing them to the client manually somehow kinda defeats the point of some email-client.
Thus, /the email-client cannot work properly without that mail password/.

On the other hand, there are sites like Yelp and similar. Giving your password into their greasy fingers is some unnecessary insecurity, as it is perfectly possible to get the contact list without your password.
Furthermore, just feeding the contact list in there manually does not defeat the point of such a site (that is, meet other people), as it is done once and never again.
Thus, /social networking sites do not need your mail password at all/!

And still, those social networking sites demand your password and refuse to work without it. Exactly this behavior is the problem Jeff wants to point out - and I agree on him with that.

I completely agree; the only software I will give my email credentials resides on my PC and possibly is open source. I trust no one for this sort of things.
And I DO find dangerous the fact that naive people could become used to think asking this sort of things is ok...

"If I tell you my email address is scott@gmail.com (which its not), the website should be smart enough to see @gmail.com, and think... oh, he's using Gmail!"
The trouble with that one is Google Apps For Your Domain.

"Any reason why I can't do [contact export/intput] for a social site? They could include easy-to-follow instructions..."
I would suspect switching to another application alone is too annoying for most users. You want the barrier to entry to be as low as possible (someone should tell that to the people who insist on harvesting massive amounts of data on registration forms to post a comment).

To the people who don't see this as a problem - sure you can change your password before and after, but people don't think too much. And the more services that do this the more people think it's normal, don't batter an eyelid and blindingly enter their password on any and every site that asks. And that will include a portion of people who use a different password for their email (I know people that do both) so you'll get wider coverage and more assurance than trying out peoples registered passwords against their email.

"I'd just like some ideas on what WE, as software developers, can do to combat this evil, insidious practice."

I'd say if it's likely you're going to get into this situation take a good look at the alternatives first. Things like OAuth and OpenSocial. Learn how they're implemented and how you would integrate them. Then when you're asked to do this you can point out the flaws, the alternatives and assure them you already know how to implement them. Though needlessly learning the technology is time consuming. At least know what they are.

"Someone mentioned Adium (instant messaging client). Of course it's OK to enter all your accounts into Adium. The developers of Adium don't see your passwords. AOL doesn't see your MSN password. Google doesn't see your Yahoo password. Etcetera. They are stored encrypted on your hard drive and only given out to the originating services."

This is likely the case, and as Adium is open source it's possible to check (not possible, really, for everyone, but that's by-the-by). My point was that you need to trust the Adium developers that they aren't harvesting your information for malevolent ends, just like you'd need to trust Facebook. So if Adium is OK, is a web-based IM client like Meebo (setting aside, for the moment, that they don't use SSL)? Hk's comment above puts it quite well.

I wholeheartedly agree.

Well, it's just a matter of you "Do you trust them?". E.g. you can also tell Google Mail to fetch all your mails from another e-mail account via POP3. In that case they'll need your master password, too. On the other hand, if you don't trust Google Mail, you should not even use it, because they will get all your mails (with all your passwords) anyway if you use it actively.

People hand out sensitive data way too easily these days. Often you just need to ask for it and they will tell you without even thinking for 2 seconds that this might be not a good idea at all. E.g. in Europe EC-Cards are much more important than credit cards. Everyone has one and almost every store takes them (credit cards are usually only accepted by some restaurants and by very little stores). In some stores you still pay with them by signing a bill (just like with credit card), however most stores have an online system today. The card is scanned and you are prompted for the card's pin. Some card data and the pin are calculated to a secret key, an online connection is established to the bank and some challenge/response is performed to verify the validity of the card's data, of the pin, and last but not least the bank will also say if a transfer of that much money is authorized.

Since you can also use EC cards to get cash (not just for shopping), if you have the card and know the pin, you can easily clear the bank account. Copying an EC card takes a couple of seconds and there are devices that will do so for little money. The only thing that protects your bank account from abuse is the pin. All security depends on that pin.

Here's a real life story: I was at a supermarket, buying some groceries. The guy in front of me paid by EC card. He gave the card to the cashier and then placed more stuff into his shopping card, not looking what the cashier is doing with his card. She could have copied it, the guy had never noticed. Now the cashier says "Sir, would you please enter your pin at the terminal?" and he, still busy rearanging bags in his shopping card, replies "Just enter XXXX, that's my pin". I have heard it, everyone behind me has, and the cashier entered the pin on behalf of the customer. If she had copied the card, she now would have the pin and could go on a nice shopping trip.

Most people have no sense for sensitive data nowaydays. And that is the reason why governments are spying on their citizens that much (every year citizen get less privacy and government organizations get more authorizations), as the citizens don't care. I wait for the day someone puts his credit card number on Facebook saying "Here's my VISA number ..., but please, don't abuse it".

Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.

Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me from your blog.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.

Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me from your blog.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.

Hi Jeff,
I have read quite a lot on .Net, Programming, Performance. etc. typically very important and very much related to a Jr. developers like me from your blog.
But recently your posts seems to getting little away from them. (May be my perception.. and may be wrong..)
But it will be great to see some post from you on those topics back.

Communist, damn communist!

One possible solution could be to allow users to upload their address book meta files in csv or outlook/vcf formats. For eg. gmail allows you to export your contacts in many formats. Sites that want to search your contacts can use this as a reference.

I came across one of these the other day. Someone sent a link to me via live messenger and that was the first page I was greated with. The url reported to hold photos belonging to that person. My friend wasnt online at the time, so I couldnt ask why they trust it. I just stopped and thought exactly like you Jeff, why the hell do you expect me to trust you with my email password. Its like giving them a rubber glove and bending over!

I'm going to break my golden rule and not read through the other 172 comments. Why? Because, *even if other people have pointed this out,* it bears repeating.

Get a second email address for these things. It really isn't that difficult to notice that "things that might cost me money through fraud" and "things that are way cool because they're so, like, you know, Web 2.0" fall into separate categories.

Why on earth should they not fall into separate email boxen?

I once worked for a site that required registration.
As an experiment I compared our user passwords and email addresses and logged into several on line email accounts belonging to our users (I didn't open individual mails). Not quiet the same but just goes to show how uneducated and stupid users can be. Never use the same password for your email and any other site that has your email address(ie all). You just don't know who has access.

StumbleUpon does the similar. I wrote post about that http://www.conwex.info/blog/index.php/2008/01/08/stumbleupon-privacy-risks/.

Much more, if you choose Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your browser; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.

Many other Social Networking sites do similar.

@Hrishi: I think you misunderstood the purpose of this blog. (Four times, even! Heheheh.)

I have no problem with sites that use Passport authentication - redirecting you to Windows Live to login with a single sign on that works across multiple applications that's still safe to use because you're actually on Microsoft's site when you log in. Maybe Google should come up with something like that. (Unless they already have, in which case I need to read up more on Google's services)

Just because I want to vent along with everyone else, the other problem with a site like this is that now you've given out all your friends emails. Sure, they say they won't spam you, but you need to define spam.

Reunion.com has recently been sending me a slew of emails because someone must have done something like this. Sure, Reunion.com doesn't consider it spam. But I sure do!
(Especially after having gotten 4-5 messages like "Hey, your friend Mike has tried to get hold of you. Sign up now to see what they want.")
(uh, text not exactly quoted.)

Whew. thanks. I vented, pointed fingers, and everything else. I feel better.

I'm surprised this was news to you. ZILLIONS of sites do this. I like the way they are so cavalier about it, they don't even promise not to store your PW. They make it seem normal - like everyone does it. And they do.

Interesting that Yelp doesn't get the part of Web 2.0 where you have to sack up, face, and then respond to this type of criticism?

Silently watching this thread and not saying anything... which should be sufficient confirmation that this is a truly implementation that someone in their position should know better about. Sad.

Pip up bitches, get contrite. Your credibility wanes.

Who said that e-mail should be used for anything important?
Besides, multiple accounts are not too hard to manage: ones for cheap insecure entertainment stuff, others - for something you wouldn't discuss on a public troll and phish infected forum.

@Jem I agree that it's infuriating to have the result of an "I forgot my password" function sending your password in plain text. Don't people know that email is so damn easy to intercept? If a site's security policy allows the sending of plain text passwords in email, then how secure is the rest of their system?

I was thrilled to see that RescueTime not only didn't email passwords as plain text but mocked those who do:
http://twitter.com/dharrels/statuses/792009363

59xk$$mv9<F

there you go.

@George Lucas: Considering Jeff's previous post on this topic, I don't think it's that new to him...

Couldn't agree more!

I wanted to use a similar setup for LinkedIn a few months ago. I'm glad they offered my a .csv file option as the last thing I was willing to do was to give out my login information. No one, except my Wife, is trustworthy enough to have that much information.

> Here is an idea. Just an idea. Do not keep sensitive personal
> information in your web mail inbox.

You must have missed part of the post. The issue isn't that they might go scrape existing personal info out of your mailbox. The issue is that your main email account is essentially your master password file for the entire internet. Even if you keep your inbox totally clean, you are not safe. All someone has to do is go to various useful account holders around the net (eg: Facebook, WorldofWarcraft.com, ebay, etc), follow the "forgot my passoword / account name" link, and said info will be freshly mailed into that inbox for them.

I don't know about Facebook and ebay scammers, but I know the gold farmers that plague World of Warcraft would love to do this to you if you let them. They just recently stole thousands of WoW accounts via a flash exploit they posted on sites WoW players hang out. Doing something like this Yelp thing (or just hacking into Yelp's servers where your password is stored) would be cake for them.

I think that one piece of the puzzle is being missed here:

Many users of social network sites WANT this. They are more concerned about being able to easily import their contacts than they are about keeping their email secure.

So what do you do? Provide the tool that the users want, or lose them to someone who does?

I once had someone refer me to a website (likely an automagic email sent by pressing a button).

It was a networking site very similar to linked in...
and it actually asked for my linkedin password.

They seemed like a direct competitor, yet they had the balls to ask for access to my linked in account?

Very bizzare, big fail, and obviously I closed my browser window on that one.

duh

"I think that one piece of the puzzle is being missed here:

Many users of social network sites WANT this. They are more concerned about being able to easily import their contacts than they are about keeping their email secure.

So what do you do? Provide the tool that the users want, or lose them to someone who does?"

I don't really see many people not using a social networking site because they lack this feature. Mainly it's a tool used to increase activity on these sites as a direct result of using the tool.

But even if that was the case, there comes a point when yes, you may want to deny your users a tool of convenience that leads to a culture of insecurity while you lobby for a safer alternative, rather than provide that tool and become part of the problem. But I guess it depends on whether or not milking every possible penny is more important than maintaining any kind of principals.

i like the 'valet key' idea. one could have exactly one, to re-use with every entity, so it's not like one would have a ton of new passwords to remember. in fact, depending on how it was set up, one could even use it oneself on a public machine, if all one wished to do was check something not-terribly-sensitive.

for my job, i have a vendor in france who has had this very thing at least since i first started using them about eight years ago. i give that password to support staff. another of my vendors has me administer our account, assigning privileges and passwords to support staff, which has the same net effect -- that is more work for me, but allows me to customize privileges.

What about the chat (Google Talk) portion in the sidebar of Gmail that allows the integration of AIM contacts?
What do they ask for?
1. AIM screenname
2. AIM password
:-(

@Robert: Google has partnered with AOL for that feature, so rest assured that it is safe. ;)

Cafepress does the same thing when you buy an item, asking for the password for your email account so you can invite friends from your contact list. Of course there is a 'Skip' option, but I wonder how many people are actually dumb enough to put in their password.

How come they all have the same screen. It looks to me like they are all using a pluggin, or perhaps screen from their library, provided by <italic>somebody else</italic>.

Trusting a third party, and another third part chosen by them. Help.

Of course, this would only be a problem in a world with problems with identity theft, credit card fraud, and inappropriate commercial use of personal information for corporate gain. Luckily we don't live in a world like that!

Very funny I wrote a few days ago:
http://www.q-software-solutions.de/hiki/?2008-05-01

I stopped using any consumer cards, stopped collecting values stamps and all that kind of stuff. The only "benefits" of this BigBrother community stuff, I can see are giving even more food for Spam and worse things...

Idiotic
Friedrich

LMAO - I LOVE that screenshot "here's how I see that page"

I could not agree more with the article though, they're not the only people who do it - as far as I remember twitter do it to and actually make it impossible to avoid completing this form, the only way I was able to get past it was to enter a fake email address and password.

At least Yelp offer a 'skip this step' link

Yeah, I saw that site recently. Nearly signed up, too.

But my email password? Not happenin' Jack!

Why wud one like to share their password with Any Site (either trust worthy or some email hacking Tool), just to check whether their contacts are there on this site or not???

Its totally ridiculous!!!

Getting social on these kind of sites is nice but not at the cost of sharing ( or giving ) my Email password. NO WAY MAN!!!!

Neways Nice post.

Thank you Mecki, that's what I was getting at.

I'm not arguing that these sites are right, but when did client responsibility go out the door?

Why bad-mouth LinkedIn and Facebook, but give GMail our POP passwords to other accounts to scrape everything?

My question is simply this: Why is Google Good and LinkedIn/Facebook evil?

I agree. That is really intrusive. I've been using Yelp for the last year+ (though writing markedly less reviews over the past 6 months) so must have missed that crazy sign-up page. My head would have probably set on fire if I had encountered that screen, so Jeff, I applaud you for not smashing every item in your office like the Incredible Hulk. Good restraint.

Twitter asks for the same information ostensibly for the same "ease of use" reason since it's a whole lot easier than typing in your address book. I however, am reluctant to give my e-mail address to my wife let alone some web-fad-of-the-day. They should really allow an import address book option if you don't want them to root through your address book and have your password.

Hey there, really love your site, please keep up the great work!

BUT, didn't you write about this exact same thing last year???

http://www.codinghorror.com/blog/archives/000953.html

What about web mashups like orgoo? Do you think these should not be used as you need to supply email account passwords?

hey Jeff -

i'm a bit late to the party (sorry running the Graphing Social Patterns East conference last few days), however i posted some related thoughts on this a few weeks back here:

http://500hats.typepad.com/500blogs/2008/05/memo-to-google.html

"Memo to Google, Yahoo, Microsoft, & AOL: How to Turn 500M email logins into Facebook Platform & a Crapload of Revenue"

the idea is to use 3rd-party access to messaging data stores (ie, your Gmail / Hotmail / Yahoomail accounts) & combine that with data on messaging frequency & keyword relevance to CONSTRAIN the # of relevant people in your network to only the top 3-10.

with this method, websites don't need to mine your entire address book, they just need to popup or share a list of your most relevant contacts, based on the relevant context.

in other words: less is more :)

- dave mcclure

I've run into a couple of websites that ask this. With some of them, you can skip this step but not all. It seems very invasive.

I never thought about this before. I'm an amateur web dev but I have never thought about it this way.
I guess even if it takes longer, I can still look myself.

Excellent article. Thanks for the alerts.

The Contacs-API solution is not a reliable one. How does a web user know what is done in the background? Whether the API is used or not?
How does one know / ensure that the password is *not stored* ?
I could build a site, that invokes the API, and still stores the passwords.

As the main article says, better *not* to give them our email passwords.

For individual logins for different sites, OpenID could be a convenient solution.

http://www.ymessengerblog.com/blog/2008/06/13/new-improved-import-contacts-feature/

I made the error of giving out my password when I signed up for Twitter. Later that day my Yahoo email stopped working. Then I get a call from the bank to verify some suspicious charges. You guessed it - someone hacked my email account from the credentials I gave on Twitter and ran up over $2k on one of my credit cards. Thankfully I straigtened everything out, but I never got my yahoo password back. I sent an email to Twitter support about this and later I got a response that stated:

"Hi,

Thanks for your email. We think we've fixed the bug that caused this problem. If you're still having issues, please let us know. Thanks for your patience, and happy Twittering!

Cheers,

Twitter Support"

I'm not saying Twitter was at fault but from that email you can draw your own conclusions. NEVER ever ever give out your email password, no matter how trusted the site may seem.

http://gregorytomlinson.com/encoded/2008/06/16/here-are-my-passwords/

Agreed wholehartedly. Note that it is possible to change your email's account password, enter the new password, let Yelp scavenge your email account, and then change your password back.

One workaround: change your password temporarily, give it to a site you TRUST, let it snarf your contact list, then change your password back.

It's better than just handing over your regular password (but not much).

Common dude just change the password after :| Unless you think that have have something that will open your inbox and scan all your emais right away......

why not just change your password after you finish?
genuises

Wow...thanks for posting this.

Somebody just left the link to this post of yours on my blog, on a posting I did about how goodreads spams your address book.

If you're interested, since you don't allow html, it's advicegoddess dot com and search goodreads. Mamasource is another site that does that as well.

Pandora has one of those too. Make a new account and it says

Your email: xxx@xxx
Your email password: xxxxxxxxx

Oh noes!

First comment on your blog, though I've been reading it for about 1 - 1 1/2 years.

I just signed on to facebook. They have the same feature and they support SO many email services. But not comma seperated files! How cruel is this?!

2:06 in the night here in Italy. I just had another web page opened in the bar menu. It is the page were LinkedIn asked for my mail password. So weird to me.
No way of course to give them my pass: I just made a google search looking for "LinnkedIn "+"password" and after some pages found You.

I'm happy to have found you, just confirmed my thesys, I'm not giving my pass ever, this case included!
Thanks
ciao

some one

jjpimp22@msn.com

Easy way around it - change your email password temporarily - let the service log into do its thing - then change it back. Not perfect, but it works.

Words fail me, quite frankly. How can anyone be so daft as to code this, let alone fall for it. Reminds me of a friend of mine whose Facebook account got hi-jacked and the perpetrator then starting sending offensive messages in her name. Applications to Facebook to shut the account down were, you guessed it, IGNORED (hope you're listening guys, but I doubt it).

On a vaguely related note, I have discovered that entering your email address into just about any forum / social networking site generates spam, sooner or later. Somehow, the spammers just latch on to it. Be careful out there.

Paul Sanders
www.alpinesoft.co.uk

Words fail me, quite frankly. How can anyone be so daft as to code this, let alone fall for it. Reminds me of a friend of mine whose Facebook account got hi-jacked and the perpetrator then starting sending offensive messages in her name. Applications to Facebook to shut the account down were, you guessed it, IGNORED (hope you're listening guys, but I doubt it).

On a vaguely related note, I have discovered that entering your email address into just about any forum / social networking site generates spam, sooner or later. Somehow, the spammers just latch on to it. Be careful out there.

Paul Sanders
http://www.alpinesoft.co.uk

fdsfsd

i love all men and you

i want to know other gmail user password.
how i do please can u help me.
can u teach me please.

hi give me one

PLZ MY E-MAIL ID HILINKGROUP.INFO@GMAIL.COMM IN MIS PASSWORD
PL'Z SEND MY PASSWORD IN E_MAIL iD SRATHWE@YAHOO.COM

I WANT MASTER PASSWORD OF YAHOO WEBSITE

Great post - found it searching for this topic.

I understand you focused on the password issue - but isn't there an issue of did any of those folks in your Outlook, Gmail, Yahoo or other contacts - did any of these folks approve the fact that you are forking over their contact information?

I think I could give Twitter, Facebook, Plaxo and the others my contact information - but how can I give up the other several hundred or several thousand folks in my database?

We're looking for blog posts and articles about that privacy issue. If you know of any - send them our way.

change emial passwoard whithout old one

change it

Yelp.com ..something devious going on!!!

I feel exactly the same. I get very tired of wanting to reply to comments online only to learn I have to go through a registration process. I however was so pissed off with the service I have received from Broadstripe in Seattle that I felt the need to go through the effort. I start signing up and I get to the email password part and I was completly floored. That is nothing anyone (web site etc..) should request! What the hell is this site about? It has to be up to no good. I would love to chat with who ever came up with this business model. Either he/she is a complete idiot or they assume everyone else is.

Jim B.

After reading the previous responces I am sorry I ever entered mine. Goodbye all (hopefully).

Incognito (hopefully)

interesting. I am so sick of yelp, but this seems... umm.. silly.

Don't give them your credentials?

So easy to deal with...

create a fake email, or just bypass that screen. But this is de riguer for all sites.

Just ignore it.

Wow. You guys are conspiratorial paranoids. Hope the tinfoil hat helps.

idea pashward

More & more people know that Blog are goods for every one where we can get more knowledge nice job keep it up !

aaaa

3247

my password

ku je bre qa po ban a ka najsen
a sen hiq a a a aa mut je ta dish

foieruhfiourhvuhbnbvAOWKKKLKLKLLK

Does the world need another Web browser? Why not just collaborate with Mozilla on Firefox? Webkit http://www.frogmix.com/search/webkit + Firefox + Chrome stand a better chance together rather than apart, don’t they? Feels to me like the million Linux distros and their corresponding desktops. If they could all get together, users would be better off.

By shrinking the enlarged prostate, Avodart may alleviate the various urinary symptoms, making surgery unnecessary. That is the reason why doctors are advised to buy Avodart for its treatment with out surgery.

Why on earth does the writer spend so much time on this and presumably does not even think to contact Yelp? Here was a potentially interesting piece made so much less simply by not contacting the offending party for some sort of input.

html

i think this is a real good idea getting a new email & password a great idea

hameed

i hate stupid coding horror,thing more stupid

giving password for anybody why is 1 stupid,lol...this site have people very idiot

yankee are population more stupid of wourld,i hate usa,lol
Iran,ABOVE of everything...my Kamerates...
sayoanara