

This is what your customers think of asking for their email password - raganwald
http://www.codinghorror.com/blog/archives/001128.html

======
raganwald
Alternative ways to scrape your email addresses without asking for your login
credentials (from a comment on the OP):

Google Contacts API: <http://code.google.com/apis/contacts/>

Yahoo! Contact API: <http://developer.yahoo.com/addressbook/>

Windows Live Contact API: <http://msdn.microsoft.com/en-
us/library/bb463989.aspx>

~~~
imp
I love the comparison between the urls for each company. Google and Yahoo have
nice clean ones while Microsoft isn't even trying.

~~~
andr
Probably because Microsoft has enormous amounts of documentation online,
organized in a single library, while Google and Yahoo don't...

~~~
simonw
Nope, it's because Microsoft just don't care. Wikipedia has 2.5 million
articles all in the same namespace and still manage to have nice URLs. It
really doesn't take much effort to provide decent URLs for a very large corpus
of information - but Microsoft clearly haven't even thought about the problem.
Their URLs have always been disgracefully bad.

~~~
tptacek
This is more a disagreement about the value of URLs than about whether
Microsoft "cares" about their end users. With a keyword bookmark for
Wikipedia, I'm about 50/50 for getting the content I want with simple URLs; I
still wind up in the Wikipedia search bar all the time.

Nobody has a foolproof scheme.

~~~
jward
For me it's not about finding the information by typing in a URL. It's more
about scanning and having a clue what I'm going to see by the url I'm clicking
on. A giant random number really has no meaning or value in this context.

~~~
dmose
For me, it's pretty irrelevant because I'm a developer using a development
knowledge base (MSDN) and have been for over a decade.

By your argument, HN is a fail too, yet you still click on the links.

~~~
william42
HN isn't a reference work like Wikipedia or the MSDN Knowledge Base, so it's
less important here.

But the real reason that Microsoft's URLs suck is that the MSDN Knowledge Base
is an older product than Google's, built back when the web was new and people
didn't realize that their URLs sucked. And one thing that I respect Microsoft
for is actually caring about reverse compatibility.

(Sidenote: This is why you should _think_ about your URLs. They are how your
website will be presented to the world.)

------
raganwald
"Your email account is a de-facto master password for your online identity.
Most -- if not all -- of your online accounts are secured through your email.
Remember all those "forgot password" and "forgot account" links? Guess where
they ultimately resolve to? If someone controls your email account, they have
nearly unlimited access to every online identity you own across every website
you visit."

...and...

"how can I take your privacy policies seriously if you aren't willing to treat
your competitors' login credentials with the very same respect that you treat
your own?"

Solid gold.

------
Rickasaurus
This is a huge blunder a lot of companies are making. I was shocked when I saw
it on facebook. And now, with all the APIs available, it's simply inexcusable.

~~~
cstejerean
the one or two times I had to use this feature on a site I changed my email
password before and after.

~~~
dfranke
_Had_ to use it? To me that'd be an instant click of the back button and maybe
a new iptables entry.

------
babul
We have to remember that email-based import is a service aimed at the masses
to make life easier for such people.

Although most people on HN and the like will usually opt out or refuse such a
request, many people will not care about the privacy/security issues if it
means less work for them.

~~~
dreish
The danger is that this breaks what is supposed to be a taboo, lowers people's
resistance to giving out their password by conditioning them to expect that
nothing will go wrong, and makes it easier for others to commit fraud.

So people get burned by some Nigerian scammer, decide never to do any business
online again, and what good does that do for the YC crowd?

~~~
babul
Agreed, but ultimately it is very difficult to educate people. Until something
bad happens to them, most people will not learn.

~~~
calvins
You're saying that it is difficult to educate people, so it doesn't matter if
they are taught to do incredibly dangerous things without a second thought.
The fact that it is difficult to educate people makes it that much more
important that companies like Yelp not do stupid things like this.

------
kmt
I first saw this on Facebook. They did have leverage and they used it without
hesitation (quite arrogantly I thought). Then everyone else followed: "if
Facebook can do it, why can't we?". It became a standard. That alone made me
loose the little respect I had for Facebook. Very early did they screw up.
Google still manage to not fall this low.

------
brfox
Don't worry, many people use one password everywhere, so websites like Yelp
probably already have lots of email passwords - even those that don't use any
of those providers.

~~~
dreish
It is painful to be reminded of how poorly so many people watch out for
themselves. As an uninterested third party, you can shrug and say, "Every man
for himself." But as soon as you start designing web applications that assume
people behave reasonably, you lose the luxury of being able to ignore the
problem.

------
paul
This isn't as big of a deal as people are making it out to be. The fact is
that I DO give out keys to my house to a number of people that I trust.
Likewise, I've used this import feature on a few websites that I trust, such
as Facebook, and would be willing to do the same on Yelp if I used that. The
notion that it's somehow unethical is just silly.

Of course people should be hesitant to give their passwords to random web
sites, but then again they should also be hesitant to give they address book
out to random websites (I don't want spam just because you signed up for some
scammy site). The people most likely to fall for scams probably use the same
password everywhere, btw.

~~~
raganwald
"I DO give out keys to my house to a number of people that I trust."

Your house keys are less dangerous than your email password. As jeff points
out, with your email password someone can probably take control of _all_ of
your web credentials. It's as if you have them your house keys, and then they
use those to take control of your snail mail, and then they apply for new
credit cards in your name, and order a new set of car keys, and so on.

And of course, we are not talking about giving your house keys to a friend
staying with you. We are talking about giving your house keys to the bartender
because he says he can help you invite all your friends to have a drink with
you.

~~~
paul
With my house key, they can get to my email, so email permissions are narrower
than house permissions. Someone with access to my house can definitely cause
more trouble than someone who only has access to my email. It's not just
friends either btw, I also give house keys to the cleaners, etc.

If your email is so super secret, then you probably shouldn't trust Yahoo or
Microsoft with it either, btw. I'm not saying that there aren't security
issues, but you need some perspective here. Facebook is just as secure as
Yahoo, so letting them use your Yahoo password really isn't that big of a
deal.

------
LogicHoleFlaw
Lots of phraudsters use this sort of technique as well. I started receiving
several spam IMs a day from a friend of mine. When I asked what was up, she
said that she had foolishly given her account name and password to a service
which purported to tell her what other IM accounts had blacklisted her.

Of course, many more accounts blacklisted her once they started receiving the
spam messages...

------
lvecsey
When you ask your employer that 'why' question, what comes next? Suppose the
address book API's were unknown to both employer and employee; the employer
might say 'go ahead and write the core component that will manage just a list
of names and emails'. This is still ethical because in theory it can be
connected to a current or future address book API, so the programmer agrees.
Later, when the address book API's aren't enough for marketing, an intern or
other willing employee is induced to connect it to the full email login and
password credentials.

Its stuff like this that makes the first employee want to leave, which leaves
the 'salt' effect of remaining employees at the company.

Somehow, the employees (and perhaps students in a school situation) should
have some power of a social vote that the boss at least 2 levels up from them
needs to acknowledge.

------
gommm
By the way, for those who worry about this... Don't do like I did and try to
login to your msn account in a webcafe in china.... It's the same as giving
out your passport on untrusted website except that in this case, you can be
sure that if they do have keylogger, (like they did in my case) they will spam
the hell out of your address book....

And like this, me, who always spent my times complaining against people who
are not careful about security, spammed most of my friends :-(

------
michael_dorfman
Talk about a Coding Horror!

What are these people thinking?

~~~
noonespecial
I think the big red FAIL said it best.

------
TrevorJ
They aren't the only ones asking for this. However, I notice that you have the
option of skipping that steps, just as you do on Twitter when it asks for the
same info. Just opt out.

~~~
byrneseyeview
His point wasn't that you have to do it, but that it's a bad option to give
people.

------
schtog
yeah ive seen this on several places lately, cant remember a specific instance
though.

my reaction is like "wtf ofc im not gonna give you my emailpassword".

~~~
ojbyrne
Most recently I've seen one on plurk.com. They seem to be spreading like a
virus - hopefully this article will help to turn people against them.

~~~
dreish
I suspect it will only end in a courtroom, one way or another.

~~~
ComputerGuru
I highly doubt that. Freedom of speech covers your right to give out your
password to anyone who asks for it :)

If some stranger came up to you in the street and asked for your SSN & bank
account number and you were stupid enough to give it to them, who would be at
fault? Would that stranger have done anything illegal?

~~~
dreish
Ah, you're right. No one has ever been sued for mishandling private data.

------
Darmani
Best temporary solution for those who want the features without risk from all
but the most malicious sites: Change E-mail password, give password, change
password back.

~~~
smelendez
That's OK if you trust the site as much as you trust your email provider.
There's still a mild risk that they'll store data that they obtained when they
logged in to screen-scrape for contacts and that data will leak. It's probably
worse in gmail and other services that show potentially confidential snippets
of emails as soon as you log in.

------
mcormier
How insightful. Atwood states the obvious yet again.

~~~
raganwald
It is sad that these things need to be said.

------
shawndrost
This is what Jeff Atwood thinks of you asking for his email password. My
personal impression is that most people don't give a shit.

~~~
icky
It's true. If someone asked _me_ for Jeff Atwood's email password, I wouldn't
mind at all.

