

Ask HN: How many of you willing to give gmail/yahoo info to expand the network - bigbang

We are prototyping(just started) a social networking idea.<p>The question I have is:
We want to have a sign-up page, where we will allow user to "create an username" and next step will be to enter thier gmail/yahoo username/pass(we wont store and we will say that) to fetch thier contacts so the user can know who is already using our service. The user if wishes can skip this step.<p>Initially, we were thinking of using openid and remove the "create username" step. But we thought not many people may remember thier openid. Another alternative was that they could sign in using thier yahoo/gmail account.<p>But the problem is it would be frusttrating for the user to once give us their gmail info to signup(i.e just creating the username) and then again to fetch the contacts(to see which of their contacts is using our service). 
Also many users may just want to checkout the services without expanding the network, so combining the above steps into one signon wouldn't also make sense, right?
So we thought we should be going the usual "create username" route.<p>My questions are:<p>1. Do you think asking user to create a username would be a big hassle when compared to entering thier gmail id twice. What do you think?<p>2. My second question is more of what you would normally do. Normally will users give thier username/pass to a not-so-popular website?
Lots of websites like stubleupon,linkedin,FB do this.<p>3.Also when checking out a new service, would you just want
to create an username to check it out or also will you take the extra step to discover which of your friends are using? If they are not using, normally are you ok to send an invite. This sort of seems wierd, bcos you are just signing up, it would make sense for you to invite your friends without knowing if its good?
======
iamdave
<http://www.codinghorror.com/blog/archives/001128.html>

I wouldn't.

 _edit_

It's worth noting to answer one of your questions: I don't follow my friends
around to every new site that pops up. Primarily because only 10% of my
friends are technically savvy enough to the point where I would actually use
the word "Twitter" around them. I've found this is becoming increasingly more
and more the case, we're establishing connections with like minded people
online, and isolating ourselves to a certain extent when it comes to who among
our friends knows their two cents about social content.

That said, if I create an account on a site "just to test it out", I'll
probably use my dummy email account in the first place partially out of habit,
and partially to gather any extraneous crap that may get dumped in the inbox
anyway.

~~~
thamer
Exactly, especially since there seems to be a better way:
<http://code.google.com/apis/contacts/>

I've never tried it, but as I understand it, this is the right (and safe) way
to get this information.

My guess is that you get an email from Google saying that some application has
requested your contact info, along with a link to click in order to allow or
forbid it.

 _edit_

A quick look at the documentation describes two ways of getting informations
for a Gmail account, either with login+password or using what they call
AuthSub Proxy Identification:
[http://code.google.com/apis/accounts/docs/AuthForWebApps.htm...](http://code.google.com/apis/accounts/docs/AuthForWebApps.html#AuthProcess)

The application requests access to the account and gets an authentication
token, which can be used to get user information once it's been validated
either by login/pass or by the user.

~~~
bigbang
Thanks. There are few options 1\. Redirecting to Yahoo/Gmail page where the
user signs and authorizes Yahoo or Google to give us the user's contact. This
gives the user the secure feeling. 2\. Same as 1, but instead of redirecting
show it in a big frame on same page, so the user feels he has not left the
page and can if the user wishes find friends through another webmail account.

which do you think is better for you(and normal not so tech savvy users)?

~~~
IsaacSchlueter
Replace the whole page so that the top-level URL in the address bar says
"yahoo" or "google" when they're signing in.

Otherwise you're just another phisher.

"Normal" users don't care. But they'll learn and eventually expect the
conventions that we establish. So let's establish conventions that are
valuable.

------
colinplamondon
Most people don't care, the privacy implications are only worried about by
people who know enough to worry about the privacy implications.

Despite the Facebook Beacon blowup in the blog echo chamber, very few users
cared:

[http://www.sawickipedia.com/blog/2007/12/05/facebook-
bites-t...](http://www.sawickipedia.com/blog/2007/12/05/facebook-bites-the-pr-
bullet-on-beacon-but-it-lives-on-because-in-the-end-users-dont-appear-to-be-
bothered/)

So, sure! People who read CodingHorror are concerned about the security
issues... but how many of your users even know what the hell CodingHorror is?

If your social network is focused on people who might have heard of
CodingHorror, you might want to have second thoughts. If not, keep it secure
and be careful about your implementation. Personally, if I trust a site then
I'll use the address book import if provided.

EDIT: Like mentioned above, definitely use Google's actual tool to do the
import:

<http://code.google.com/apis/contacts/>

~~~
IsaacSchlueter
It's irresponsible to expect your users to care about their privacy, just as
it's irresponsible for a doctor to expect his patients to care about their
health as much as he does.

Your duty, as a provider of web services, is to be far MORE concerned with
your users' privacy than they are themselves. You know about these things;
they don't. They're trusting you.

So do the right thing. Don't add to the problem. Don't add to the list of
sites that subtly enforce the very false notion that it's safe to share your
email credentials.

It's a bad idea even if you do trust the site to be careful. Every site that
has my email credentials, even for a moment, is another potential failure
point of the worst kind. Steal my twitter login, fine. You post some garbage,
and I have to clean up a mess. Steal my email, and I'm left broke and fighting
with credit bureaus to clean up my reputation for 7 years.

Most users don't care about these things. But the fact that about 100% of
savvy web professionals are very concerned by this should give you pause
before asking for email credentials on your site. Even if you're 100% careful
with the info, you're helping the next guy make the case that it's ok
("everyone does it"), and he might not be so careful.

------
michael_dorfman
I'd never use a site that asked me for my gmail (or any other)
username/password.

I'm not the only one who feels this way. Take a look at this, for a start:
<http://www.codinghorror.com/blog/archives/001128.html>

If your social networking idea depends on this, start again.

------
elad
Personally, I never ever give my email credentials out. I totally agree with
Jeff Atwood on that.

However, while you're at it, why not ask people for their facebooks/myspace
credentials? You'll find many more "friends" there than in my email contacts,
plus facebook is far less sensitive privacy-wise. If someone got hold of my
credentials, the maximum they could do is deface my profile and send some
stupid messages to friends. If they got hold of my gmail account, they could
access almost every other account that I have through "forgot your password"
links...

Not that I'd actually give you my facebook credentials though :)

~~~
bigbang
Thats definitely a good point. Waiting for facebook connect :)

------
IsaacSchlueter
OpenID: If they have a yahoo account, the user just has to remember
"yahoo.com" and if you're supporting OpenID 2.0, it'll work. If they have
almost any kind of blog or social networking profile these days, it's also an
OpenID.

Users remember their OpenIDs. Use the discovery mechanisms built into the spec
to do the hard part for them.

Check out the RESTful apis being built as part of the OpenSocial
specification. If they can tell you what network they're a part of that
supports OpenSocial (Google, MySpace, hi5, Plaxo, and soon, Yahoo) then you'll
be able to kick off an OAuth process that ends in them giving you permission
to fetch their friendlist.

But their email username and password? Don't _ever_ do it.

We're past that stage now. It's no longer state of the art, and it's dangerous
enough that it ought to be considered harmful by all responsible adults.

------
babul
This may be helpful <http://news.ycombinator.com/item?id=209870>

------
PieSquared
I think OpenID may be a good choice, especially as more sites begin to support
it. Take a look at ClickPass, it seems promising, though I suppose you should
offer a normal sign up too.

------
wumi
who is this product targeted at? many hackers don't give out their emails,
import contacts, but if you've received email spam from your other friends,
you probably know they will willingly do so ...

------
cmars232
Won't use it.

------
xlnt
Don't ask for people's passwords. Ugh. Just because other sites are acting
badly doesn't mean you should too.

Those sites that want your passwords have not figured out a decent solution to
the problem. That's an opportunity. Do something better.

