Please Give Us Your Email Password

A number of people whose opinions I greatly respect have turned me on to Yelp over the last six months or so. Yelp is a community review site, and a great way to discover cool new places in whatever neighborhood you happen to be in.

This is a companion discussion topic for the original blog entry at:

I forgot to ask:

What’s all this ranting and raving about the ContacT APIs? Didn’t Google just release their’s in March 08?

Commonsense trumps technology every time. No matter what sort of technological breakthroughs we make, dumb people (like myself, some would argue because I use Mint) are going to do dumb things.

@Baz, I think you trust people too much. Being a little paranoid makes you ask the sorts of questions that Jeff is trying to get across to you.

  • Nobody gets my (g)mail password.
  • Yes, I have different strong passwords for every site that I care about. (i use keepass, so it’s easy)
  • Yes I have different email addresses (although that’s almost more pain than it’s worth, more an accident of history and keeping old ones open)
  • For the rest of the websites I could care less about the password is usually something along the lines of ‘thiswebsiteisrubbish’ so it’s real easy to remember.
  • Using the (which is probably a big scam too) works for those things that force you to give an email, because I don’t even like giving my email out, let alone my password. Good for a one-off looksie though.

I don’t use credit cards, and I don’t even like using direct debit, etc. I prefer to pay cash and not be tracked too much. It’s not that I’m inherently paranoid, but keeping the s/n ratio in your favor is better.

Online identity is pretty much linked to the email addresses you use. To me, it often feels like I’m having to show my passport and drivers license and fill in a marketing survey just to walk into Starbucks, let alone buy anything. Sorry no dice. But hey, I’m glad there are people like you out there, because nobody’s gonna notice me when there’s an easy mark.

PS to others: avoiding spam is impossible, unless you have no friends, because there’s always one person who pisses in the pool.

I blame Facebook, I believe they were one of the first to scrape your email account for contacts, and after that, every dumbass incompetent programmer with a half-baked social networking site thought it was A-OK, and their users happily complied.

Dare Obasanjo describes the right way to do this, and what Google, Microsoft and others are adopting - delegated authority - the user approves the application’s request for some data (such as Contacts) without sharing any credentials with the piece of shit application that requested it.

Seriously, I hate programmers who do this kind of crap, I hope they all lose their jobs.

I agree. I NEVER use these tools for exactly that reason… even if I think you’ll be a good citizen about it.

Can we just please start using openauth already? Sheesh.

Great post. I happily provided a bunch of companies with my e-mail and password information before it dawned on me that this was a very dumb move. I quickly changed by e-mail password and learned an important lesson.


And personnally, I don’t like it when my friends sign up for this things and then these things start sending me email.

Hey Jeff, I hope after this post (and the response) you consider writing about OAuth and our soon-to-be-released Portable Contacts API project, which directly addresses this issue.

It’s a problem that has been worked on for some time and we are on the verge of “solving it”, so thanks for bringing some much needed attention to the current depth of the problem! Here are some posts that might be of some interest:


I’ve used the contacts import from Facebook, but like a couple of other people here I changed my password before and after the process.

The difficulty is that it’s so damn convenient to be able to give this one little bit of information and have all the people you know added in one hit.

It’s a problem that really should be addressed. If there’s a contacts API available that does the job without compromising security (and it appears there is) then that’s perfect - but why isn’t it being used?

openID and Dataportability ( )

give the ‘export CSV’ a button and a catchy name for gmail and M$oft + Y! to show prominently.

As [ICR][1] pointed out, the OpenSocial framework, as of version 0.8, includes a RESTful API that can be used to fetch friends directly. It’s still not quite the portability that Chris Messina and the folks are talking about, but it’s a step in the right direction.

Sadly, this “get your password and screen scrape” is the current state of the art. It sucks.


When I encounter this type of thing and I would like it to scan my address book, I temporarily change my email password to something else… Register with the site… and then change it back to what it was originally. So even if someone tried to use the password given to (Yelp in this case) it would not be the current one to access my email.

Simple. (A hassle, but simple enough to work around.)

I agree - these types of scenaros make me feel very uncomfortable.

Perhaps a useful way forwards would be standard e-mail provider API that could be queried to provide the information needed without giving any other credentials to the brokering website.

Although at first thought this would still requiring asking for some level of credentials from the user…

Facebook does the same thing. I refused.

Right, and once we remove the stupid option from the table (hey, I know, we’ll just ask the user for their master password!), we’re actually encouraged to find a better solution to the problem.

Such as…

  • alternate lower-permission credentials
  • making parts of your email identity completely public
  • temporary time limited credentials
  • “passes” or “keys” you can give out / grant


I’d be royally pissed if I ran into something like this. Then again, I’ve decided to ignore any attempts by social networking sites to enroll me to their ranks of page ad revenue cattle.

I agree 100%. It is a terrible practice.

I don’t know if you’re aware of this, but your “number one with a bullet” has a number one, but not a bullet.

If you’ll just let me have your email password I’ll show you how to add a bullet to it as well.