Some websites import friends utterly wrong, but Flickr gets it right. Their revised finder no longer asks for your password to other sites before logging in as you to fetch your address book. Such interactions can compromise password and site security. Most people reuse the same small set of usernames and passwords. A not-so-small number of sites store cleartext passwords; they can even mail it back to you. Regardless how well sites execute security, a breach at any other site can compromise security across many user accounts across many sites.
Several weeks ago a Web 2.0 company launched a Gmail backup app that asked for addresses and passwords, which at least 1777 unwitting folks provided. In addition to backing up Gmail as expected, the app also socked away the address and password combo. When the scheme was exposed, the company claimed debugging code made it to production inadvertently.
I can see scenarios where governments may be the least of our worries. Much more likely are significant others’ jealous exes who are also system administrators, and hacked sites with weak security. The sooner we move away from passwords and shared-secret systems, the safer we’ll be.
Flickr now joins that cause and can dig up friends across instant messenger and e mail address books at Yahoo Mail, Hotmail, and Google Mail without asking for your password on these other systems. For those already logged into the target site, the follow-ups ask only to authorize the transaction. For those not yet logged into the target site, note the url. Requests for passwords come only from the target site itself, as with OpenID.
After a few minutes, Flickr found missed and misplaced friends, nearly doubling my Flickr contacts to over 100. This is how finding friends should work. Other sites, take heed.
