A password horror story (and some good advice)

Jeff Atwood tells the tale of a social website that asked him to divulge his e-mail login name and password as part of their “find your friends” routine. He’s right, it’s an inexcusably offensive idea and a giant step backwards in online security:

How did we end up in a world where it’s even remotely acceptable to ask for someone’s email credentials? What happened to all those years we spent establishing privacy policies to protect our users? What happened to the fundamental tenet of security common sense that says giving out your password, under any circumstances, is a bad idea?

I can understand the cutthroat desire to build monetizable "friend" networks by any means necessary. Even if it means encouraging your users to cough up their login credentials to competing websites. But how can I take your privacy policies seriously if you aren’t willing to treat your competitors’ login credentials with the very same respect that you treat your own? That’s just lip service.

Email is the de-facto master password for a huge swath of your online identity. Tread carefully…

Meanwhile, in one of those delightfully serendipitous bits of coincidence, the Official Google Blog offers some sound advice on passwords. Of their five tips, #4 is most relevant:

Don’t share your passwords with anyone. Not family, not friends, not anyone. This may seem a little strict, but the reality is the more people you share your password with, the greater your chances of having that password compromised will be.

Definitely don’t share your e-mail password with some random website.