[andreas_g4]

I was just registering at ilike.com to listen to the new R.E.M. album before I buy it. I read somewhere they had it on streaming. Well, I used my spam email account at gmail to register and found this directly after my first login on ilike.com:



Huh? Enter my password on a different site? What's the deal? I am positive that a (major) service like ilisten.com would have been bashed if there was anything wrong with this, but I still can't figure out why they ask for my email password…?

[wataru]

I think it's pretty obvious that they use your username and password to get access to your Gmail address book, and check to see if those email addresses correspond to accounts on iLike. The idea is to eliminate the hassle of manually searching for friends on each and every social networking site. Other places, LinkedIn for one, do this too.

If you don't want to give them your password then don't.

[andreas_g4]

Very smart answer. Yes, it is obvious. But it was my mistake in the first place, since my post is not very clear, sorry.

What I meant is: I never was asked by any website that I had to actually enter my login and password of my email service. I am just baffled that anyone would do this, no matter which site.

This might lead to the assumption, for unexperienced users, that entering that data on a different website is ok, which is more or less all that phishers want.

[nonhuman]

I've seen this in a lot of places. Facebook does it, Plaxo does it, probably all the social networking sites do it. Most potentially scary: mint.com does it.

[wataru]

Originally Posted by andreas_g4 

What I meant is: I never was asked by any website that I had to actually enter my login and password of my email service. I am just baffled that anyone would do this, no matter which site.

This might lead to the assumption, for unexperienced users, that entering that data on a different website is ok, which is more or less all that phishers want.

I'm not sure what you're so shocked about. It's not mandatory; you can simply choose not to auto-add friends that way.

I suppose you may have a point about people possibly becoming less vigilant about keeping login & password info secret, but clearly the cat is out of the bag at this point.

[Chuckit]

There's no other way to accomplish what they're doing, is there?

[legacyb4]

Twitter does too.

[wallinbl]

Originally Posted by Chuckit 

There's no other way to accomplish what they're doing, is there?

Export your contacts to a file and upload them. Most will support this.

[turtle777]

Originally Posted by nonhuman 

Most potentially scary: mint.com does it.

WTF is that supposed to mean ?

Is mint supposed to GUESS your account data and activity ?

-t

[pooka]

I personally find it a very worrisome trend. Yay, let's train people to give their username and passwords to random websites. Welcome to the social...

[turtle777]

Originally Posted by pooka 

I personally find it a very worrisome trend. Yay, let's train people to give their username and passwords to random websites. Welcome to the social...

That's the drawback if you want various databases and apps to communicate.

In the future, more and more websites will use OpenID � What is OpenID? , which is really how it's supposed to be done.

-t

[Chuckit]

Maybe I'm missing something, but OpenID seems like a security nightmare. "You know, there's a lot of problems with insecurity and fishing on the Web today. What can we do about this?" "I know! Let's create one more basket just like all the others and encourage everybody to put all their eggs in here!"

[nonhuman]

Originally Posted by turtle777 

WTF is that supposed to mean ?

Is mint supposed to GUESS your account data and activity ?

-t

Obviously it's necessary given what Mint does, but the idea that people are just giving out the login information for their online banking and credit cards is somewhat troublesome. The fact that most people wouldn't even give it a second thought or consider what the security implications are is what really bothers me. It's one hell of a big invitation for phishing or a man in the middle attack, both things that the average user is probably not really competent to protect themselves from.

[turtle777]

Originally Posted by nonhuman 

Obviously it's necessary given what Mint does, but the idea that people are just giving out the login information for their online banking and credit cards is somewhat troublesome. The fact that most people wouldn't even give it a second thought or consider what the security implications are is what really bothers me. It's one hell of a big invitation for phishing or a man in the middle attack, both things that the average user is probably not really competent to protect themselves from.

This is true, people SHOULD be careful to whom they hand out their information. I looked at mint and decided that I would trust them.

Before I did, I did some extensive research on mint, the company and the backing. Seemed solid to me.

-t

[turtle777]

Originally Posted by Chuckit 

Maybe I'm missing something, but OpenID seems like a security nightmare. "You know, there's a lot of problems with insecurity and fishing on the Web today. What can we do about this?" "I know! Let's create one more basket just like all the others and encourage everybody to put all their eggs in here!"

In my limited understanding, I don't see this as a nightmare.

It;s much more a nightmare that people have to remember eleventy billion different passwords, and therefore, use the same password everywhere.
Plus, those passwords used are rarely of good strength.

If you have ONE openID with a strong password, I think most people will be better off (i.e. safer) than today.

-t

[Chuckit]

Originally Posted by turtle777 

In my limited understanding, I don't see this as a nightmare.

It;s much more a nightmare that people have to remember eleventy billion different passwords, and therefore, use the same password everywhere.

I don't see how. That is, at worst, exactly the same as what you get with OpenID.

Originally Posted by turtle777 

Plus, those passwords used are rarely of good strength.

If you have ONE openID with a strong password, I think most people will be better off (i.e. safer) than today.

It is true that people don't generally use high-quality passwords, but still most of the Internet account hacking I hear of comes from phishing, not from brute-force guessing.

[turtle777]

Originally Posted by Chuckit 

I don't see how. That is, at worst, exactly the same as what you get with OpenID.

I think you misunderstand how it works. Have a look at this:

How OpenID works | Clickpass Documentation

I don't see how this is more prone to fishing than getting your password.

-t

[Eug]

I am starting a new online social networking website. You have all been selected to be beta testers.
If you are interested, please PM me your Gmail or Yahoo! Mail account identification and password.

I have also begun work on a new online payment system website, and it's going to be much more powerful than PayPal. You have all been selected to be beta testers.
If you are interested, please PM me your bank account information and password.

[turtle777]

What's the site called ? EugScammer ?

-t

[Eug]

The site is called Eug's Hammer.

We are a storage solutions company and have decided to branch out to industries that can leverage our years of experience with data warehousing.

We aim to use our new jack-of-all-trades online tools to hammer away inconvenience!

[andreas_g4]

Originally Posted by Eug 

I am starting a new online social networking website. You have all been selected to be beta testers.
If you are interested, please PM me your Gmail or Yahoo! Mail account identification and password.

I have also begun work on a new online payment system website, and it's going to be much more powerful than PayPal. You have all been selected to be beta testers.
If you are interested, please PM me your bank account information and password.

HAWT. Is this even cooler than being one of the gmail early beta users? Then I'm all onto it!1!!!1!