With all these social networks asking for my email password in order to scrape my contact list, I thought I would just save hackers and would-be assailants the trouble and post a list of my passwords here for convenience.
Okay, I want to be social. I want to play with the latest, coolest sites. But why on earth do all these Web2.0 developers have no clue about security and the fundamental rule, don’t share your password with anyone. There is an awesome post on this subject pertaining to Yelp here. And an even older post here.
Down in the comments on the Coding Horror piece, a reader states that Gmail provides an API for gathering a user’s contacts. Sadly, it’s no help. While there is a contacts API in Gmail, you need to be authenticated to see it and authentication requires your password, so it’s no fix to the problem. I haven’t checked out the Yahoo! and Windows Live APIs because I don’t use those services. Maybe they have addressed this issue, but somehow I doubt it.
This whole password sharing roared back into my mind after recently joining ping.fm (currently in private beta) and I found them practicing a similar habit. Ping.fm wanted my passwords in order to provide updates to Plurk, Pownce, Linkedin and many more. I immediately voiced concern in the ping.fm forum. I was surprised to learn I was the first person to raise the issue. Sean comforted me with that fact my passwords are heavily encrypted in their database and I can remove them at anytime. While this made me feel better, it’s still inherently flawed.
When you join Facebook, they have a similar practice. Facebook asks for your email password in order to help find your friends. While Facebook should know better, at least their open development platform allows users to find their Facebook friends on other sites such as friendfeed by adding a small application specific to that site. You can find me on friendfeed here.
I’m just not sure who is more to blame, services such as ping.fm (sorry for picking on you Sean) who ask for passwords or services like Plurk and Twitter for not providing account level API only keys such as the one offered by Jaiku. As Sean pointed out in the forum discussion, it’s how these services build their APIs. And for those of us that are joining more social networks everyday, services, such as ping.fm, will have to exist in order to conveniently manage it all.
So Gmail, Yahoo!, Hotmail, Windows Live and AOL all need to get off their asses and build public APIs that allow me to access my contacts through a separate key other than my password. And sites like friendfeed, Plurk, Twitter, Yelp and Pownce need to follow Jaiku’s lead and provide an API key that is separate from my password.
Here is that password list I promised.
- thomas
- arsenal
- monkey
- charlie
- qwerty
- 123456
- letmein
- liverpool
- password
- 123
0 Responses to “Here Are My Passwords!”
Leave a Reply