my recent reads..

'Promote Bad Security Practice' Grand Achievement Awards

As usual, Jeff cuts to the heart of the matter on Coding Horror when calling out Yelp for the astonishingly evil and unconscionable act of asking users to hand over their email passwords.

I am not sure who started this, but it has somehow scarily become accepted practice, especially among the social networking sites. Facebook, LinkedIn, Plaxo ... they all do it, and seem to think that waving some privacy mumbo-jumbo 'but you can trust US!' makes it OK. Some are particularly heinous, like Tagged, which obscure the fact that handing over your email password is optional.

As many have pointed out (see the comments on Jeff's post), this is a lazy solution to a problem that is solvable in ways that do not need to compromise user security.

Facebook, LinkedIn - these guys should know better. And I think have an obligation to do better, especially since it is becoming more and more common for a social networking site to be an individual's first experience on the net. While the old hands may have well-ingrained security awareness thanks to the evangelizing efforts of people like Steve Gibson and Leo Laporte on the Security Now! podcast, we have a whole new generation of users being taught exactly the wrong thing thanks to the misguided and irresponsible acts of the social networking sites that are requesting email passwords to be handed over.

The proliferation of this perfidious practice must be reversed! A good first step is to heap professional scorn on anyone associated with developing such a feature. Shame!