| Author: | Stefano |
|---|---|
| category: | Security |
I am negatively astonished (and I am not alone) by a new diffuse practice of many networking websites: during the registration process, they ask your Gmail (or other webmail’s) personal username and password, so to login on your behalf and import your address book contacts.
What?
Giving your personal password to another website allows them to poke into your mail account, where you can have your personal emails (containing eventually other passwords), documents, calendars and so on. You are potentially handing them your (and a bit of your contacts') digital life. Despite the disclaimers of honesty of these sites, even honest and very respectable companies can happen to have dishonest employees. Finally, there’s also a fair chance that you are violating the Gmail terms of service, which clearly state (paragraph 5.3) that your password is confidential. Other interesting paragraphs are 6.1 and 6.2, which in my opinion could entitle for a TOS violation as well.
But apart of these facts, what I consider most dangerous is to pass this practice as “normal” or “acceptable” just because it looks convenient and easy. I wonder what people would say if they were asked to hand out their home keys to the shop where they just bought a TV, so that the shipment can take place with no additional fuss for them. The user is generally the weakest point in security, and educating him/her in the wrong direction is really something to be worried about.