Gears Future APIs: OpenID and OAuth Upgrade the Web: Do you want your browser to Jabber away?
Mar 20

It’s just my email password…

Tech with tags: , , Add comments

Security

I couldn’t help but interrupt someone at the coffee shop as I saw them giving their Gmail username and password into some random third party system to “grab your contacts”.

I get why sites have been doing this, but now we have the Google Contacts API there shouldn’t be the need.

What astounded me was the logic that this fellow used. He talked about how he used really good, different passwords, and never kept them in his email, so if the third party site was malicious they wouldn’t get anything good.

He didn’t seem to realize that by giving away the key to your email account, you are doing a LOT more than letting someone look at that email to your mum. With it, they have the keys to your forgot password? life. They can quickly go to accounts that you have all over the shop, simulate a forgotten password use case, and now they DO have access to your account info.

It isn’t about what is in your email before hand, it is the access to future email that matters.

This is why I was over the moon when the contacts API saw the light of day, and I hope to see all providers do similar work.

3 Responses to “It’s just my email password…”

  1. Sam Says:

    It might be too late. Any system that offers an API instead of scraping requires that the user bounce through a few pages to do the same thing that took one page before. My guess is that this is one of those cases where the internet has been trained to put in their username and password and all the ways to fix it are a worse user experience.

    The real solution might be to have multiple passwords for the same account that all have different access levels. Then people that care can put in their “contacts only, no email” password.

  2. Craig Overend Says:

    Listening to one of the recent newsganglive podcasts, a startup mentioned 20% of people were entering their email details in order to ‘tell their friends.’ Retraining people when services like Twitter make it difficult to find the ‘Skip this’ or worse sites that use a ‘do this later’ that repeats attempts to get those details, will be a challenge.

  3. Tara Kelly Says:

    @Sam
    RE: “Then people that care can put in their ‘contacts only, no email’ password.”

    Wow – that would make things *really* complicated. I’m often surprised at how many people don’t even know how to use folders in their webmail account. I can’t see them being able to understand (and setting up) permission based passwords.

    It’s definitely a problem though.

Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: Type in the word 'ajax'