I once worked for a site that required registration.
As an experiment I compared our user passwords and email addresses and logged into several on line email accounts belonging to our users (I didn’t open individual mails). Not quiet the same but just goes to show how uneducated and stupid users can be. Never use the same password for your email and any other site that has your email address(ie all). You just don’t know who has access.
StumbleUpon does the similar. I wrote post about that http://www.conwex.info/blog/index.php/2008/01/08/stumbleupon-privacy-risks/.
Much more, if you choose Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your browser; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.
Many other Social Networking sites do similar.
@Hrishi: I think you misunderstood the purpose of this blog. (Four times, even! Heheheh.)
I have no problem with sites that use Passport authentication - redirecting you to Windows Live to login with a single sign on that works across multiple applications that’s still safe to use because you’re actually on Microsoft’s site when you log in. Maybe Google should come up with something like that. (Unless they already have, in which case I need to read up more on Google’s services)
I once had someone refer me to a website (likely an automagic email sent by pressing a button).
It was a networking site very similar to linked in…
and it actually asked for my linkedin password.
They seemed like a direct competitor, yet they had the balls to ask for access to my linked in account?
Very bizzare, big fail, and obviously I closed my browser window on that one.
duh
Just because I want to vent along with everyone else, the other problem with a site like this is that now you’ve given out all your friends emails. Sure, they say they won’t spam you, but you need to define spam.
Reunion.com has recently been sending me a slew of emails because someone must have done something like this. Sure, Reunion.com doesn’t consider it spam. But I sure do!
(Especially after having gotten 4-5 messages like “Hey, your friend Mike has tried to get hold of you. Sign up now to see what they want.”)
(uh, text not exactly quoted.)
Whew. thanks. I vented, pointed fingers, and everything else. I feel better.
I’m surprised this was news to you. ZILLIONS of sites do this. I like the way they are so cavalier about it, they don’t even promise not to store your PW. They make it seem normal - like everyone does it. And they do.
Interesting that Yelp doesn’t get the part of Web 2.0 where you have to sack up, face, and then respond to this type of criticism?
Silently watching this thread and not saying anything… which should be sufficient confirmation that this is a truly implementation that someone in their position should know better about. Sad.
Pip up bitches, get contrite. Your credibility wanes.
Who said that e-mail should be used for anything important?
Besides, multiple accounts are not too hard to manage: ones for cheap insecure entertainment stuff, others - for something you wouldn’t discuss on a public troll and phish infected forum.
@Jem I agree that it’s infuriating to have the result of an “I forgot my password” function sending your password in plain text. Don’t people know that email is so damn easy to intercept? If a site’s security policy allows the sending of plain text passwords in email, then how secure is the rest of their system?
I was thrilled to see that RescueTime not only didn’t email passwords as plain text but mocked those who do:
http://twitter.com/dharrels/statuses/792009363
@George Lucas: Considering Jeff’s previous post on this topic, I don’t think it’s that new to him…
"If I tell you my email address is scott@gmail.com (which its not), the website should be smart enough to see @gmail.com, and think… oh, he’s using Gmail!"
The trouble with that one is Google Apps For Your Domain.
"Any reason why I can’t do [contact export/intput] for a social site? They could include easy-to-follow instructions…"
I would suspect switching to another application alone is too annoying for most users. You want the barrier to entry to be as low as possible (someone should tell that to the people who insist on harvesting massive amounts of data on registration forms to post a comment).
To the people who don’t see this as a problem - sure you can change your password before and after, but people don’t think too much. And the more services that do this the more people think it’s normal, don’t batter an eyelid and blindingly enter their password on any and every site that asks. And that will include a portion of people who use a different password for their email (I know people that do both) so you’ll get wider coverage and more assurance than trying out peoples registered passwords against their email.
Couldn’t agree more!
I wanted to use a similar setup for LinkedIn a few months ago. I’m glad they offered my a .csv file option as the last thing I was willing to do was to give out my login information. No one, except my Wife, is trustworthy enough to have that much information.
“I’d just like some ideas on what WE, as software developers, can do to combat this evil, insidious practice.”
I’d say if it’s likely you’re going to get into this situation take a good look at the alternatives first. Things like OAuth and OpenSocial. Learn how they’re implemented and how you would integrate them. Then when you’re asked to do this you can point out the flaws, the alternatives and assure them you already know how to implement them. Though needlessly learning the technology is time consuming. At least know what they are.
"I think that one piece of the puzzle is being missed here:
Many users of social network sites WANT this. They are more concerned about being able to easily import their contacts than they are about keeping their email secure.
So what do you do? Provide the tool that the users want, or lose them to someone who does?"
I don’t really see many people not using a social networking site because they lack this feature. Mainly it’s a tool used to increase activity on these sites as a direct result of using the tool.
But even if that was the case, there comes a point when yes, you may want to deny your users a tool of convenience that leads to a culture of insecurity while you lobby for a safer alternative, rather than provide that tool and become part of the problem. But I guess it depends on whether or not milking every possible penny is more important than maintaining any kind of principals.
What about the chat (Google Talk) portion in the sidebar of Gmail that allows the integration of AIM contacts?
What do they ask for?
- AIM screenname
- AIM password
@Robert: Google has partnered with AOL for that feature, so rest assured that it is safe. 
i like the ‘valet key’ idea. one could have exactly one, to re-use with every entity, so it’s not like one would have a ton of new passwords to remember. in fact, depending on how it was set up, one could even use it oneself on a public machine, if all one wished to do was check something not-terribly-sensitive.
for my job, i have a vendor in france who has had this very thing at least since i first started using them about eight years ago. i give that password to support staff. another of my vendors has me administer our account, assigning privileges and passwords to support staff, which has the same net effect – that is more work for me, but allows me to customize privileges.
Cafepress does the same thing when you buy an item, asking for the password for your email account so you can invite friends from your contact list. Of course there is a ‘Skip’ option, but I wonder how many people are actually dumb enough to put in their password.
How come they all have the same screen. It looks to me like they are all using a pluggin, or perhaps screen from their library, provided by italicsomebody else/italic.
Trusting a third party, and another third part chosen by them. Help.
Of course, this would only be a problem in a world with problems with identity theft, credit card fraud, and inappropriate commercial use of personal information for corporate gain. Luckily we don’t live in a world like that!