Home Your Email Password: A True Horror Story About Why We Need Authentication Standards

Your Email Password: A True Horror Story About Why We Need Authentication Standards

Blogging developer Jeff Atwood has written up a story of password theft that will run a chill down the back of anyone who enjoys trying out new applications online.

The story is about a GMail archiving application being sold by an unscrupulous coder who programmed the app to forward all GMail usernames and passwords from customers to his personal GMail account.

The story underlines the importance of the emerging movement for user authentication standards, a part of the user trust dilemma that will prove key in the near-term future of online innovation. OAuth, one of those proposed standards, is something we write about here regularly.

Dustin Brooks is a reader of Atwood’s excellent blog Coding Horror and sent Atwood the story of his sleuthing around the app, called G-Archiver.

“It didn’t really have the functionality I was looking for,” Brooks wrote, “but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

“I opened up a browser and logged in to gmail using his account information. It still worked.

“Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don’t remember as well, whoops, my bad. I also contacted google to erase this account as I didn’t see a way to delete it myself.”

Way to go, Dustin Brooks.

Authentication Standards and Best Practices: A Key to Innovation

How often have you given your usernames and passwords to various services, including webmail, to a new application you want to check out? I know I do that far too often. I decided I’d had enough last week when yet another application asked for my Twitter username and password. Twitter pays my rent, so I can’t be giving my credentials out to just anybody. I don’t need to get G-Archived.

New 3rd-party Twitter clients are just not going to get any attention from me until Twitter offers an authentication protocol that doesn’t require me to provide my username and password. It’s pretty insane if you think about it, given how central the Twitter API is to the company’s viability. I guess if you’re struggling to keep your pants up at a party, though (service up time), then there’s no time to make sure your fly is zipped before meeting the other guests.

When users decide that they won’t give out their credentials to random startups, the user pipeline is going to dry up and innovation is going to be slowed substantially. Maybe that’s already happening and a world of potential support for innovation is already absent.

With the release of the Google Contacts API this week, developers don’t have much excuse to ask for GMail username and password. Unfortunately, Google didn’t build its API on a standard like oAuth, so that framework won’t spread as far and wide as it might.

Niall Kennedy has written a great article about authentication best practices and the oAuth website is a good place to go to read more on this topic.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.