Tuesday, August 05, 2008

questions about the password anti-pattern

This came up in two different conversations today, so a post rather than just sending email. For those not familiar with the concept, the password anti-pattern refers to web sites that ask you to submit a name and password in order gather your friends' email addresses. Jeremy Keith has a nice description of it on his blog. The problem is that it teaches people to cough up their password, which is a particularly bad habit online, especially in the age of phishing and pharming attacks.

It is particularly noxious because most of the major online email services have APIs for doing this in a secure manner. Google has the Contacts API. Yahoo! has the Address Book API. AIM friend lists can be grabbed via OpenAuth. The Windows Live can help you with Facebook and Bebo. MySpace

If you want to play with how these work for the end user, Flickr has a really nice implementation up for scraping Yahoo, Gmail, and Hotmail contact lists.

1 comment:

Anonymous said...

Yeah I would never give a third party site my password for another site, that's crazy.

- T