Your Passwords Are Sold. And Plaxo?

January 2, 2009 in Open Web, Security by Carsten Pötter | Comments

It had to happen sooner or later and it’s just surprising that it did not happen earlier: Yesterday Twitter passwords were sold! Well, actually Twply was sold just after one day of operation for the ridiculous tiny sum of $1,200. Twply was a service sending @replies via email to Twitter users. And to do just this it demanded people’s Twitter usernames and passwords.

However Twply is not the only “service” that demanded people’s usernames and passwords. Services that extend Twitter’s functionality are especially notorious in that aspect. Other services want people’s Gmail passwords which might cause even more damage to users considering their AdSense data, emails, calendars, and what not are at stake. Users have to be educated that it’s definitely not in their best interest to give away their passwords to other web based services. There are alternatives available: Portable Contacts and OAuth. With those open standards services can access e.g. contacts data from other services without demanding passwords. Users are in full control of what’s happening and are able to revoke access at any time. This will be the end of the password anti-pattern described by Jeremy Keith.

Plaxo and the password anti-pattern

Plaxo has been championing open standards for a long time now. Its engineer Joseph Smarr is one of the driving forces behind Portable Contacts and other related standards and he is a really smart guy. Though what’s really disappointing about Plaxo is, that it continues to collect passwords for webmail clients:

password anti-pattern

password anti-pattern

Plaxo knows better but still demands passwords. Maybe Plaxo doesn’t store passwords but how many services claim the same? Users can’t control it. Though recently Plaxo’s head of marketing, John McCrea, sent an interesting tweet:

John McCrea on webmail clients

John McCrea on webmail clients

Well, this sounds cool. At first. But what he is really saying here is: Hey, as long as those big guys [he means Google, Yahoo!,...] don’t support the standard we want them to support, you have to give us your passwords.
Shouldn’t Plaxo explain to its most valuable asset, its users, that it no longer supports the password anti-pattern? One day Plaxo might switch to Portable Contacts and OAuth to import contacts but in the meantime it has educated its users to give away their passwords. Will it re-educate them? Wasn’t it easier to say that currently there is no convenient and secure way to import contacts but that Plaxo will work on it?

I singled out Plaxo here not because I hate the service but because I really like it. I want it to do better. But John McCrea’s statement is at least a little bit hypocritical.

Tags: AdSense, engineer, Google, head of marketing, Jeremy Keith, John McCrea, Joseph Smarr, OAuth, open standards services, Plaxo, Portable Contacts, Twitter, Twply, USD, Yahoo

  • I appreciate your advocacy in this space, but I take issue with your charge of hypocrisy. One of the key motivations of the Portable Contacts initiatives was the realization that the mere presence of APIs was not sufficient to shift developers over from scraping, so long as each provider created a new, proprietary, and completely unique API (often with its own proprietary and unique delegated auth system and its own unique UX). Portable Contacts (which specifies OAuth for delgated auth) offers a way out of the madness. So rather than Plaxo (and every other social site out there) paying the tax of having to develop and maintain separate code for each data provider, we should be able to write our secure import code once (or better yet, use a freely available open source library) for Portable Contacts and have it work with GMail, Yahoo Mail, and Microsoft's Live Mail. The good news is that we made enormous progress in 2008, going from conception to draft spec, to early implementations, with wire-compatibility with OpenSocial RESTful API 0.8.1 and above. And right before the holidays, Joseph Smarr demoed the full Open Stack with an end-to-end implementation between Plaxo and Google, that included Portable Contacts out from GMail. So, while my tweet might have sounded lie foot-dragging or fancy positioning, it is not that at all. We are on the cusp of seeing broad support for a single standardized and secure method for accessing address books, social graphs, and profiles. In the meantime, investing in developing code against the various "beautiful snowflake" APIs does not make business sense.
  • But that's not exactly the point, John... I understand your argument with Portable Contacts and a standard way to share contacts, but every proprietary API is better than using the "password antipattern"! Besides Google and Yahoo! already using OAuth for authorization, so it is much easier to implement their APIs as to use a Screen-Scraping mechanism.

    We "all" want to have a standardized way to share contacts (as Portable Contacts will provide it) but I think in the meantime we should nevertheless avoid the "password antipattern" the best we can.
  • Thanks for your comment, John.

    I am well aware of Joseph's demos of Portable Contacts working with Gmail. I have linked to your article about it. I am also not suggesting that web services like Plaxo should develop code for every single API out there. Like you have written above, that doesn't make (business) sense. OAuth and Portable Contacts are the way to go. There is no diagreement between you and me.

    I admit that the title of the posting is provocative - but that's been the intention - and I understand that you take issue with being called "hypocritical", however just "a little bit". Though believe me, we're both supporting the same cause.
  • I agree, that implementing a whole bunch of APIs isn't the right way and definitively not a good solution for a business.

    But why is screen-scraping the easier method? Because there are a bunch of classes around there ready to implement. And if a service like Plaxo is using such functionality it becomes "state of the art" for other sites and companies, because users are habituated to use them... so I think using other standardize ways to import contacts like XFN/hCard, Foaf or vCards is much better than using the "password antipattern". We have to educate our users first, because they have to use the things we build!

    And that shouldn't be an attack to what plaxo is doing, because I love what you guys have done with "Portable Contacts", "The Social Web TV" and your dedication to many other "Open" solutions... but the "password antipattern" can't be an alternative!
  • I deleted my Plaxo account a while back precisely because of this.

    John, I'm sorry but it *is* hypocrisy. As it is now, you are scraping email addresses differently for each email provider—that is as much work (if not more) than implementing using the APIs now provided by each provider.

    More importantly, the ethical issue here is that you are telling people it's perfectly okay to hand over their email passwords to anyone who asks. That may make "business sense" but "business sense" does not trump moral responsibility.

    John, you and Joseph know better than this. It is precisely because you know better than this that I was so disgusted by Plaxo's continued support of the password anti-pattern. Hence, my account deletion.
  • I'd like to give John the benefit of the doubt, not just because we're friends, but because I know how long and much work needs to go into getting large organizations to shift.

    That said, I agree with Jeremy's point with two additional questions and one statement:

    1. What's the delta between how things are today with your scraper and getting to a point where you can simply use PoCo? If you're waiting on the service providers to adopt the protocol (clearly it needs to get finished in the mean time!), how far away are we from seeing live support? Two months? Three? Six months? Perhaps providing a non-binding timeline, and the things it depends on, would help to assuage these claims of hypocrisy. At least you're doing something about it.

    2. Why don't you at least offer optional support for the delegated authentication protocols provided by all of the major service providers in the meantime? At least the solutions exist today and would show a genuine commitment to making it possible for people to have control over how they provided access to their data.

    3. While I'm an advocate against the password anti-pattern like the rest of you, I do think that giving up your account credentials to sites and companies you trust is not always a bad thing. It certainly isn't an ideal solution, and in fact makes for lazy developers, but if you trust a company, say, with your credit card number and secret code, that's hardly different than trusting a company with your email credentials. If people make an informed decision about trusting Plaxo and hand over the keys to their accounts, that's their decision. How they become informed, is another topic, though — and the greater point about teaching people bad security hygiene still stands.
  • Of course, trust is necessary in quite a lot of activities on the web. I have to trust my email provider, my OpenID provider, merchants,... The list is endless. Though I think it's different with Plaxo:

    1. It knows better. That's really simple.
    2. Plaxo has a bad reputation about spamming people's contacts. While this is a thing of the past, Plaxo still suffers from it and some people still make unfounded allegations. Scraping plays into the hands of those people.
blog comments powered by Disqus