social-network-anti-patterns: Difference between revisions

From Microformats Wiki
Jump to navigation Jump to search
(more on Quechup example of anti-pattern)
m (Replace <entry-title> with {{DISPLAYTITLE:}})
 
(41 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Social Network Anti-patterns}}
{{TOC-right}}
{{TOC-right}}
<h1>Social Network Anti-patterns</h1>


While [[social-network-portability]] documents what to do to put your site on the open social web and be a good user-centric service in general, it's been noted that not everyone follows such advice and instead opts for a bunch of alternative either one-off (wasteful) or downright user-unfriendly tactics.  This page documents such anti-patterns of social network design and implementation and provides (unfortunately) real world examples of such badly designed sites.
While [[social-network-portability]] documents what to do to put your site on the open social web and be a good user-centric service in general, it's been noted that not everyone follows such advice and instead opts for a bunch of alternative either one-off (wasteful) or downright user-unfriendly tactics.  This page documents such [[anti-patterns]] of social network design and implementation and provides (unfortunately) real world examples of such badly designed sites.


== Upload your Address Book ==
== Spam your contacts ==
Many social networking sites ask you to upload your address book. <strong>This is a bad idea.</strong>
Many social networking sites ask you to <span id="Upload_your_Address_Book">upload your address book</span>, or "Find Your Friends", when what the feature really does is '''Spam your contacts'''.


Since so many sites seem to use your uploading of your address book as tacit/implied permission to spam all your friends with invites, this will annoy your friends, and make you look foolish.
These sites seem to use your uploading of an address book as tacit/implied permission to spam all your friends with invites, which will annoy your friends, and make you look foolish.  
* [http://twitter.com/spiller2/statuses/811960394 Stephen Spillane apologized on 2008-05-15] to his friends for what sounds like involuntary spamming due to a social network invite: <blockquote><p>"apologies to anyone who got an annoying invite from me to some stupid social network. The things men make me do"</p></blockquote>


=== Quechup ===
Making users annoy, look dumb to their friends, and feel compelled to apologize is not good design.
* [http://www.ibert.be/2007/07/quechup-disaster.html Quechup disaster]
* [http://mashable.com/2007/09/02/quechup/ Are You Getting Quechup Spammed?]
* [http://www.chrishambly.com/content/quechup-and-mass-hysteria Quechup And Mass Hysteria]


=== workarounds ===
This spamming behavior is now so bad, that users are creating new email accounts to knowingly avoid the problem:
This spamming behavior is now so bad, that users are creating new email accounts to knowingly avoid the problem:
* [http://twitter.com/lisamac/statuses/239777272 Lisa McMillan on Twitter] <blockquote><p>"getting a special email account with no contacts for signing up to social networks. Then, I won't mind when they hijack my address book."</p></blockquote>
* [http://twitter.com/lisamac/statuses/239777272 Lisa McMillan on Twitter 2007-08-31] <blockquote><p>"getting a special email account with no contacts for signing up to social networks. Then, I won't mind when they hijack my address book."</p></blockquote>
 
Apparently this contact spam has in at least one case taken the form of instant-message spam (spim) which is then used to spread a contact-based virus!
 
* [http://twitter.com/theinfonaut/status/1246859290 Leslie Chicoine on Twitter 2009-02-24] <blockquote><p>There's a contacts based virus going around, don't give your IM, Yahoo, Google Contacts etc. info to any website!</p></blockquote>


Solution: support [[social-network-portability]] instead, not address book spamming.
Solution: support [[social-network-portability]] instead, not address book spamming.


== Enter your email login and password ==
Read more about why this is an anti-pattern:
Giving any site your login credentials/permissions for another site or service is a <strong>very bad idea.</strong>
* 2007-12-19 [http://factoryjoe.com/blog/2007/12/19/public-nuisance-1-importing-your-contacts/ Chris Messina: Public nuisance #1: Importing your contacts]
 
Here are some sites that are currently doing this:
 
=== Bebo invites===
Bebo appears to have a user interface that makes it too easy for users to unintentionally spam everyone in their address book.
 
Evidence that users have unintentionally sending invite spam to their contacts:
 
As [http://twitter.com/walelia/statuses/771302864 noted by user Valerie Noble on 2008-03-13]: <blockquote><p>"What the hell, I stupidly sent bebo invites to eveyone in my address book. Boo!"</p></blockquote>
 
and [http://twitter.com/cksthree/statuses/773542421 user C.K. Sample III on 2008-03-18]: <blockquote><p>"signed up for bebo. sorry to everyone in my address book who got spammed by the sign up. I thought it would work more like twitter"</p></blockquote>
 
Evidence that users are receiving Bebo invite spam:
 
[http://twitter.com/frankensite/statuses/774020094 Brian Alvey notes on 2008-03-19]: <blockquote><p>"Considering deleting the duplicate Bebo invitations I'm getting. Everyone has 3+ addresses for me. Another address book spam engine. Hurray!"</p></blockquote>
 
Still a problem as of May 2008:


[http://twitter.com/cmpayne/statuses/811938598 Cameron Payne was unpleasantly surprised on 2008-05-15]: <blockquote><p>"goddamn Bebo just invited *everyone* in my Yahoo address book. I don't think I told it to do that. WTF!? Beware!"</p></blockquote>
=== Goodreads are your friends already on ===
Goodreads also has a user interface that misleads even very web-savvy users into unintentionally spamming everyone in their address book.
[http://flickr.com/photos/redcarpet/2619408018/in/photostream/ http://farm4.static.flickr.com/3114/2619408018_25c0147054.jpg]
[http://www.mickipedia.com/ Micki Krimmell] wrote both [http://www.mickipedia.com/?p=1174 a blog post] and a [http://getsatisfaction.com/goodreads/topics/why_did_goodreads_trick_me_into_spamming_my_entire_address_book post on GetSatisfaction] describing her experience with being tricked into spamming all her friends.
A representative from Goodreads has followed up on both Micki's blog post and Getsatisfaction post, however, as far as is known, Goodreads' user interface has not been changed/improved accordingly to be less misleading.
=== Quechup find your friends on ===
[http://www.flickr.com/photos/chrishambly/1302362704/ http://farm2.static.flickr.com/1339/1302362704_63d97a8930.jpg]
Quechup has a feature to "find your friends" which, even if it says "no contact present" will spam all your contacts in your address book and thus annoy all your friends and embarrass you.  Clearly it is not just ''finding your friends from'' your address book, it is ''inviting everyone in'' your address book.
* 2007-07-31 [http://www.ibert.be/2007/07/quechup-disaster.html BERT VAN WASSENHOVE: Quechup disaster]
* 2007-09-02 [http://www.chrishambly.com/content/quechup-and-mass-hysteria Chris Hambly: Quechup And Mass Hysteria]
* 2007-09-02 [http://mashable.com/2007/09/02/quechup/ Mashable: Are You Getting Quechup Spammed?]
* 2007-09-05 [http://www.brianoberkirch.com/2007/09/05/should-google-help-us-stop-quechup-spam/ Brian Oberkirch: should google help us stop quechup spam?]
=== Spock scan my address book ===
* 2007-12-17 [http://beth.typepad.com/beths_blog/2007/12/beware-of-spock.html Beth Kanter: Beware of Spock is not Star Trek 2.0 .... Beware]
== Enter your other site login and password ==
Also known as:
* "<span id="Enter_your_email_login_and_password">Enter your email login and password</span>" anti-pattern.
* Third Party Password Antipattern ([http://flickr.com/photos/tags/3ppantipattern 3ppantipattern], tppantipattern)
* Password Antipattern
Giving any site your login credentials/permissions for another site or service is a <strong>very bad idea.</strong>  You cannot trust that the site will treat your login credentials with proper care (e.g. Quechup uses this antipattern to implement the [[#Spam_your_contacts|spam everyone your the address book antipattern above]]).
It is also very bad user interface design. These sites that ask for your login (whether gmail or other services) are teaching users a very bad habit, a habit that is akin to what phishing sites depend on.  Essentially you are teaching a user that this type of form is safe whereas it actually presents quite the danger given the number of phishing sites out there.
Don't ask users for their login and password to another site like gMail etc.
Solution:
* drop import support for the sites that don't offer hCard+XFN friends lists and/or [[OAuth]].
** Note that last.fm dropped support for their password anti-pattern support in the recent (2008 June) redesign!
* support [[social-network-portability]].
* and if you must, support site-specific proprietary APIs which depend on OAuth, e.g. Google Address Book API, Yahoo Address Book API.
=== Posts ===
Read more about why this is an anti-pattern:
* 2007-08-14 [http://www.brianoberkirch.com/2007/08/14/two-social-system-design-trends-that-should-really-really-stop-like-now/ Brian Oberkirch: Two social system design trends that should really, really stop. like now.]
* 2007-10-11 [http://adactio.com/journal/1357 Jeremy Keith: The password anti-pattern]
* 2008-01-04 [http://www.brianoberkirch.com/2008/01/04/this-antipattern-is-kryptonite-to-the-open-social-web/ Brian Oberkirch: this antipattern is kryptonite to the open social web]
* 2008-03-15 [http://adactio.com/journal/1421/ Jeremy Keith: Anti-pattern begone] (mentions Google announcement of their Contacts Data API)
* 2008-06-04 [http://adactio.com/journal/1475/ Jeremy Keith: Making contact] (mentions the Yahoo announcement of the release of their Address Book API).
* 2008-07-15 [http://getsatisfaction.com/pownce/topics/why_does_pownce_keep_killing_kittens_with_the_password_anti_pattern Jeremy Keith: Why does Pownce keep killing kittens with the password anti-pattern?]
* 2008-09-23 [http://pownce.com/adactio/notes/3571554/ Jeremy Keith pownces Either the password anti-pattern goes or I do.]
* 2008-09-25 [http://adactio.com/journal/1513/ Jeremy Keith: Anti-pattern recognition]
=== Excuses and responses===
* Some major players are not helping the cause.
** Just because someone/something else big is misbehaving, that is no excuse for you to do so.
* We are following pretty common practice.
** Just because many other folks are misbehaving, that is no excuse for you to.
* Variant: We are implementing the same code as Facebook and Twitter so we went for best practices.
** Implementing the same code is not best practice. Implementing the same code in this case is the lowest common denominator.
* We aren't in a terribly strong position to drop support.
** Of course you are! Precisely because you *are* small. You have less to lose.
** If you pick a public fight with a misbehaving big player over this, guess who wins? If the press covers it as little guy vs the big guy etc. narrative.
* Our growth is flat!
** Exactly - this won't affect it.  But maybe a little positive publicity will help.
* We could implement the OAuth-based proprietary address book APIs, but we'd have to invest the development time to do Facebook, Yahoo, and Google.
** Disable the the password anti-pattern code in the meantime.
* The pragmatic downside is that our growth is stagnant, we need to do features that'll benefit us, and this isn't at the top of the list of features that can do that for us.
** This is the opportunity cost argument.  It is the same problem with fixing polluting factories vs. building new factories.
* Why are people threatening to leave us or worse?
** Without community pressure/embarrassment, companies don't change.
* I think we've earned a little benefit of the doubt that we're not 'the industry'.
** Having a "polluting" interface that is on every day means no benefit of the doubt.
==== Pollution analogy ====
The password anti-pattern = teaching people to pollute themselves.
*  Just because everyone else pollutes, doesn't mean it makes it right for you to do so.
* Polluting factories need to be fixed just as much as new factories need to be built.
* Without environmentalist pressure/embarrassment, polluting companies don't change.
* Why not focus your efforts on the huuuuuuge polluters like instead of my small company?
** Because easier to apply enough pressure to get smaller guys to change first. Same tactics worked for environmentalists.  Then they would use smaller victories to earn bigger victories, until they had racked up enough victories to make the big guys look *really* bad.
Here are some sites that are currently doing this:
=== Blipfm is better with friends ===
[http://www.flickr.com/photos/tantek/3199489045/ http://farm4.static.flickr.com/3389/3199489045_7169ea1a63.jpg]
'''[http://blip.fm Blip.fm]''' - Their "Import Address Book" functionality requests that you enter your username and password for your email provider(s): yahoo, gmail, hotmail, aol, msn.
=== Delta Add To Google Calendar ===
Delta asks you to enter your Gmail UserName(sic) and Password:
https://farm8.staticflickr.com/7405/14084838076_bf959e2dcc_o.png
=== Facebook Connect ===
Per [http://micro.ben-ward.co.uk/post/65425363/facebook-connect Ben Ward's post on Facebook Connect], this user interface:
[http://micro.ben-ward.co.uk/post/65425363/facebook-connect  http://5.media.tumblr.com/5vUVOHNMPhm1sj7138AlwQXho1_400.png]
Appears to encourage users to enter their email address and password into something visually resembling (but easy to mimic) a Facebook popup window on ''any'' site.
Thus all a malicious site would have to do is put up a button saying "Login with Facebook Connect", then display an identically styled virtual popup, and the user, who has been taught by the Facebook Connect UI, will simply enter their email address and password.
There's also a more detailed follow up on Ben's views of the Facebook Connect UI [http://ben-ward.co.uk/blog/oauth-flow/ on his blog] — and complements for the alternate version, whereby it uses the iframe to improve the UX for users who are ''already logged in'' to Facebook. There's a bit more snark as well, for those who are into that.
Update: This issue was '''fixed''' by Facebook. They now use a separate pop-up window, complete with browser chrome, to log in when you're not already signed in to Facebook.
=== Facebook see if more friends have joined ===
[http://flickr.com/photos/factoryjoe/2110461562/ http://farm3.static.flickr.com/2324/2110461562_e624ab4175.jpg]
[http://blog.benward.me/post/825760204 http://28.media.tumblr.com/tumblr_l5qcn44Rxg1qzt3x8o1_500.png]
'''[http://facebook.com Facebook]''' - Their "see if more friends have joined Facebook" feature provides you with a popup menu to enter passwords for numerous sites.
=== GetSatisfaction Twitter This widget ===
As [http://twitter.com/adactio/status/1020708247 reported by Jeremy Keith], apparently the [http://getsatisfaction.com GetSatisfaction] "Twitter This" widget requests your Twitter username and password. <strong>(screenshot needed)</strong>
See the support thread on GetSatisfaction "[http://getsatisfaction.com/getsatisfaction/topics/stop_asking_for_twitter_passwords Stop asking for Twitter passwords]" for more.
=== Instagram Twitter Login ===
As [https://twitter.com/ade_oshineye/status/616536968663535616 reported by Adewale Oshineye]:
[https://twitter.com/ade_oshineye/status/616536968663535616 https://pbs.twimg.com/media/CI5hGp9WIAANC6r.png]
=== Nsyght import your profile and friends ===
[http://www.flickr.com/photos/tantek/2254537667/ http://farm3.static.flickr.com/2035/2254537667_d831c1fb3a.jpg]
'''[http://nsyght.com Nsyght]''' - Register for an account to import from Digg, Pownce, Last.fm, and Twitter (site is in public alpha)
* Unfortunately the "import from Digg, Pownce, Last.fm, and Twitter" feature depends on entering your username and password to those sites, which is ironic since those sites support microformats and [[social-network-portability]]!
=== Plaxo - Let's look for your friends in your address book ===
[http://www.flickr.com/photos/manveru/3215481930/ http://farm4.static.flickr.com/3088/3215481930_979c0a7f61.jpg]
'''[http://plaxo.com plaxo]''' - Asks in several forms for passwords of different mail services.
=== Plinky - Find Your Friends ===
[http://www.flickr.com/photos/tantek/3218629483/ http://farm4.static.flickr.com/3335/3218629483_e40019cac9.jpg]
'''[http://plinky.com Plinky]''''s "Find Your Friends" feature, which it presents to every newly signed up user, asks for your email address and password for a variety of services.
As [http://twitter.com/dewitt/status/1145448221 DeWitt tweeted]: <blockquote><p>Google, Yahoo, and Microsoft all support browser-based delegated authorization apis for contacts. Plinky should use those apis.</p></blockquote>
See also [http://friendfeed.com/e/6ff1f9ce-df01-4250-05de-c7009f31925f/Wow-Plinky-usernames-are-going-faster-than/ this thread by Jason Shellen (CEO of Plinky)] who says some hopeful things: <blockquote><p>DeWitt - You make a good point. I'll discuss it with the team Monday. In other news, we do support OAuth for posting to Blogger.</p></blockquote>
=== Quechup which friends already use ===
[http://mashable.com/2007/09/02/quechup/ http://mashable.com/wp-content/uploads/2007/09/quechupsignup.PNG]
[http://mashable.com/2007/09/02/quechup/ http://mashable.com/wp-content/uploads/2007/09/quechupsignup.PNG]


You cannot trust that the site will treat your login credentials with proper care (e.g. the pictured example, [http://microformats.org/wiki/social-network-anti-patterns#Quechup Quechup], emails everyone in the address book of the email service you provide login credentials for).
=== ShareThis import your contact lists ===
[http://flickr.com/photos/factoryjoe/1344414673/ http://farm2.static.flickr.com/1088/1344414673_8e306e265d_o.png]
[http://flickr.com/photos/factoryjoe/1345315346/ http://farm2.static.flickr.com/1143/1345315346_8eb2cf4d7c_o.png]


It is also very bad user interface design. These sites that ask for your login (whether gmail or other services) are teaching users a very bad habit, a habit that is akin to what phishing sites depend on.
ShareThis asks for your username and password to email services and social network sites.


Don't ask users for their login and password to another site like gMail etc.
=== SlideShare signup form ===
As [http://twitter.com/adactio/status/1020670561 reported by Jeremy Keith], apparently the [http://www.slideshare.net/signup SlideShare signup form] asks for your (in this order)
* Username
* Email Address
* Password
* Confirm Password
<strong>(screenshot needed)</strong>
 
Because of the proximity of "Email Address" and "Password" input fields it is easy to mistake this for asking for your email address and email password. Perhaps it is asking for your email password? Or perhaps it asks for that later in the process? Screenshots would help.
 
See the GetSatisfaction support thread "[http://getsatisfaction.com/slideshare/topics/asking_for_3rd_party_passwords Asking for 3rd party passwords]" for more.
 
=== StockTwits login ===
[http://www.flickr.com/photos/factoryjoe/3061262427/ http://farm4.static.flickr.com/3010/3061262427_3775189375.jpg]
 
StockTwits.com asks you to "Login" with your Twitter username and password.  StockTwits is not run by Twitter, therefore they are asking you for your username and password to another site.
 
=== Twitpic login to twitter ===
[http://flickr.com/photos/ronin691/2368324013/ http://farm3.static.flickr.com/2166/2368324013_0a15d337c0.jpg]
 
Twitpic asks you to enter your Twitter username and password.  They are not the same site, nor are they run by the same people or company.
 
=== Twitter are your friends on ===
[http://www.flickr.com/photos/ronin691/2110909518/ http://farm3.static.flickr.com/2179/2110909518_fde956c2ee.jpg]
 
'''[http://twitter.com/ Twitter]''' is a service that many users (including many of us active with microformats) love and adore and use constantly. Plus they implement microformats (e.g. [[hcard supporting user profiles]] and [[hcard xfn supporting friends lists]])!
 
However, we still need to call them out for supporting the third-party password anti-pattern.
 
As co-authors of [[Oauth]], please Twitter, implement and evangelize that path (perhaps even on that "are your friends on" page), rather than this anti-pattern.
 
=== TwitterNotes ===
[http://flickr.com/photos/guspim/2138354357/ http://farm3.static.flickr.com/2221/2138354357_0c566fd62e.jpg]
 
'''[http://twitternotes.com/ TwitterNotes]''' asks you to "login with your Twitter account" username and password.  They are not the same site, nor are they run by the same people or company.


Solution: support [[social-network-portability]].
== Join to fix your profile ==
Some social network sites create public profiles for you without you having any contact with them.  If there are any mistakes, they make you join in order to fix them.  This sounds like blackmail: Join our service or else we'll continue to publish inaccurate information about you and therefore spam websearch results about you with misinformation.


Blog posts:
=== Spock join to fix ===
* There may be a blog post on this by Chris Messina, but where is it?  Perhaps someone can find it.
* 2007-08-15 [http://www.wired.com/techbiz/startups/news/2007/08/spock_reputation Wired News: Astonishing! Spock Thinks You're a Pedophile]
* 2007-12-16 [http://www.fullcirc.com/wp/2007/12/16/please-dont-invite-me-to-spock/ Full Circle Associates: Please, don’t invite me to Spock]
* 2007-12-16 [http://ourfounder.typepad.com/leblog/2007/12/it-may-be-the-e.html Jim Benson: It May Be the Evil Spock] (and [http://ourfounder.typepad.com/leblog/2007/12/an-initial-resp.html An Initial Response to Spock])


== One Unified Social Network ==
== One Unified Social Network ==
Line 46: Line 247:


The hope is that these services will see the potential upside of providing open user profiles and social networks through [[social network portability]] and thus enable syndication of such data, as popular blogging services do.
The hope is that these services will see the potential upside of providing open user profiles and social networks through [[social network portability]] and thus enable syndication of such data, as popular blogging services do.
== Requesting All OAuth Permissions ==
=== PurpleWifi ===
PurpleWifi requires that you give it full access to all OAuth permissions of your Twitter Account in order to use their wifi service (which has no need for write access to your Twitter account).
[https://twitter.com/xor/status/694967964114800640 https://pbs.twimg.com/media/CaUFrJUXEAEQ9zh.jpg]
== related ==
* [[social-network-portability]]
* [[anti-patterns]]

Latest revision as of 16:33, 18 July 2020

While social-network-portability documents what to do to put your site on the open social web and be a good user-centric service in general, it's been noted that not everyone follows such advice and instead opts for a bunch of alternative either one-off (wasteful) or downright user-unfriendly tactics. This page documents such anti-patterns of social network design and implementation and provides (unfortunately) real world examples of such badly designed sites.

Spam your contacts

Many social networking sites ask you to upload your address book, or "Find Your Friends", when what the feature really does is Spam your contacts.

These sites seem to use your uploading of an address book as tacit/implied permission to spam all your friends with invites, which will annoy your friends, and make you look foolish.

  • Stephen Spillane apologized on 2008-05-15 to his friends for what sounds like involuntary spamming due to a social network invite:

    "apologies to anyone who got an annoying invite from me to some stupid social network. The things men make me do"

Making users annoy, look dumb to their friends, and feel compelled to apologize is not good design.

This spamming behavior is now so bad, that users are creating new email accounts to knowingly avoid the problem:

Apparently this contact spam has in at least one case taken the form of instant-message spam (spim) which is then used to spread a contact-based virus!

Solution: support social-network-portability instead, not address book spamming.

Read more about why this is an anti-pattern:

Here are some sites that are currently doing this:

Bebo invites

Bebo appears to have a user interface that makes it too easy for users to unintentionally spam everyone in their address book.

Evidence that users have unintentionally sending invite spam to their contacts:

As noted by user Valerie Noble on 2008-03-13:

"What the hell, I stupidly sent bebo invites to eveyone in my address book. Boo!"

and user C.K. Sample III on 2008-03-18:

"signed up for bebo. sorry to everyone in my address book who got spammed by the sign up. I thought it would work more like twitter"

Evidence that users are receiving Bebo invite spam:

Brian Alvey notes on 2008-03-19:

"Considering deleting the duplicate Bebo invitations I'm getting. Everyone has 3+ addresses for me. Another address book spam engine. Hurray!"

Still a problem as of May 2008:

Cameron Payne was unpleasantly surprised on 2008-05-15:

"goddamn Bebo just invited *everyone* in my Yahoo address book. I don't think I told it to do that. WTF!? Beware!"

Goodreads are your friends already on

Goodreads also has a user interface that misleads even very web-savvy users into unintentionally spamming everyone in their address book.

2619408018_25c0147054.jpg

Micki Krimmell wrote both a blog post and a post on GetSatisfaction describing her experience with being tricked into spamming all her friends.

A representative from Goodreads has followed up on both Micki's blog post and Getsatisfaction post, however, as far as is known, Goodreads' user interface has not been changed/improved accordingly to be less misleading.

Quechup find your friends on

1302362704_63d97a8930.jpg

Quechup has a feature to "find your friends" which, even if it says "no contact present" will spam all your contacts in your address book and thus annoy all your friends and embarrass you. Clearly it is not just finding your friends from your address book, it is inviting everyone in your address book.

Spock scan my address book

Enter your other site login and password

Also known as:

  • "Enter your email login and password" anti-pattern.
  • Third Party Password Antipattern (3ppantipattern, tppantipattern)
  • Password Antipattern

Giving any site your login credentials/permissions for another site or service is a very bad idea. You cannot trust that the site will treat your login credentials with proper care (e.g. Quechup uses this antipattern to implement the spam everyone your the address book antipattern above).

It is also very bad user interface design. These sites that ask for your login (whether gmail or other services) are teaching users a very bad habit, a habit that is akin to what phishing sites depend on. Essentially you are teaching a user that this type of form is safe whereas it actually presents quite the danger given the number of phishing sites out there.

Don't ask users for their login and password to another site like gMail etc.

Solution:

  • drop import support for the sites that don't offer hCard+XFN friends lists and/or OAuth.
    • Note that last.fm dropped support for their password anti-pattern support in the recent (2008 June) redesign!
  • support social-network-portability.
  • and if you must, support site-specific proprietary APIs which depend on OAuth, e.g. Google Address Book API, Yahoo Address Book API.

Posts

Read more about why this is an anti-pattern:

Excuses and responses

  • Some major players are not helping the cause.
    • Just because someone/something else big is misbehaving, that is no excuse for you to do so.
  • We are following pretty common practice.
    • Just because many other folks are misbehaving, that is no excuse for you to.
  • Variant: We are implementing the same code as Facebook and Twitter so we went for best practices.
    • Implementing the same code is not best practice. Implementing the same code in this case is the lowest common denominator.
  • We aren't in a terribly strong position to drop support.
    • Of course you are! Precisely because you *are* small. You have less to lose.
    • If you pick a public fight with a misbehaving big player over this, guess who wins? If the press covers it as little guy vs the big guy etc. narrative.
  • Our growth is flat!
    • Exactly - this won't affect it. But maybe a little positive publicity will help.
  • We could implement the OAuth-based proprietary address book APIs, but we'd have to invest the development time to do Facebook, Yahoo, and Google.
    • Disable the the password anti-pattern code in the meantime.
  • The pragmatic downside is that our growth is stagnant, we need to do features that'll benefit us, and this isn't at the top of the list of features that can do that for us.
    • This is the opportunity cost argument. It is the same problem with fixing polluting factories vs. building new factories.
  • Why are people threatening to leave us or worse?
    • Without community pressure/embarrassment, companies don't change.
  • I think we've earned a little benefit of the doubt that we're not 'the industry'.
    • Having a "polluting" interface that is on every day means no benefit of the doubt.

Pollution analogy

The password anti-pattern = teaching people to pollute themselves.

  • Just because everyone else pollutes, doesn't mean it makes it right for you to do so.
  • Polluting factories need to be fixed just as much as new factories need to be built.
  • Without environmentalist pressure/embarrassment, polluting companies don't change.
  • Why not focus your efforts on the huuuuuuge polluters like instead of my small company?
    • Because easier to apply enough pressure to get smaller guys to change first. Same tactics worked for environmentalists. Then they would use smaller victories to earn bigger victories, until they had racked up enough victories to make the big guys look *really* bad.

Here are some sites that are currently doing this:

Blipfm is better with friends

3199489045_7169ea1a63.jpg

Blip.fm - Their "Import Address Book" functionality requests that you enter your username and password for your email provider(s): yahoo, gmail, hotmail, aol, msn.

Delta Add To Google Calendar

Delta asks you to enter your Gmail UserName(sic) and Password:

14084838076_bf959e2dcc_o.png

Facebook Connect

Per Ben Ward's post on Facebook Connect, this user interface:

5vUVOHNMPhm1sj7138AlwQXho1_400.png

Appears to encourage users to enter their email address and password into something visually resembling (but easy to mimic) a Facebook popup window on any site.

Thus all a malicious site would have to do is put up a button saying "Login with Facebook Connect", then display an identically styled virtual popup, and the user, who has been taught by the Facebook Connect UI, will simply enter their email address and password.

There's also a more detailed follow up on Ben's views of the Facebook Connect UI on his blog — and complements for the alternate version, whereby it uses the iframe to improve the UX for users who are already logged in to Facebook. There's a bit more snark as well, for those who are into that.

Update: This issue was fixed by Facebook. They now use a separate pop-up window, complete with browser chrome, to log in when you're not already signed in to Facebook.

Facebook see if more friends have joined

2110461562_e624ab4175.jpg

tumblr_l5qcn44Rxg1qzt3x8o1_500.png

Facebook - Their "see if more friends have joined Facebook" feature provides you with a popup menu to enter passwords for numerous sites.

GetSatisfaction Twitter This widget

As reported by Jeremy Keith, apparently the GetSatisfaction "Twitter This" widget requests your Twitter username and password. (screenshot needed)

See the support thread on GetSatisfaction "Stop asking for Twitter passwords" for more.

Instagram Twitter Login

As reported by Adewale Oshineye:

CI5hGp9WIAANC6r.png

Nsyght import your profile and friends

2254537667_d831c1fb3a.jpg

Nsyght - Register for an account to import from Digg, Pownce, Last.fm, and Twitter (site is in public alpha)

  • Unfortunately the "import from Digg, Pownce, Last.fm, and Twitter" feature depends on entering your username and password to those sites, which is ironic since those sites support microformats and social-network-portability!

Plaxo - Let's look for your friends in your address book

3215481930_979c0a7f61.jpg

plaxo - Asks in several forms for passwords of different mail services.

Plinky - Find Your Friends

3218629483_e40019cac9.jpg

Plinky's "Find Your Friends" feature, which it presents to every newly signed up user, asks for your email address and password for a variety of services.

As DeWitt tweeted:

Google, Yahoo, and Microsoft all support browser-based delegated authorization apis for contacts. Plinky should use those apis.

See also this thread by Jason Shellen (CEO of Plinky) who says some hopeful things:

DeWitt - You make a good point. I'll discuss it with the team Monday. In other news, we do support OAuth for posting to Blogger.

Quechup which friends already use

quechupsignup.PNG

ShareThis import your contact lists

1344414673_8e306e265d_o.png 1345315346_8eb2cf4d7c_o.png

ShareThis asks for your username and password to email services and social network sites.

SlideShare signup form

As reported by Jeremy Keith, apparently the SlideShare signup form asks for your (in this order)

  • Username
  • Email Address
  • Password
  • Confirm Password

(screenshot needed)

Because of the proximity of "Email Address" and "Password" input fields it is easy to mistake this for asking for your email address and email password. Perhaps it is asking for your email password? Or perhaps it asks for that later in the process? Screenshots would help.

See the GetSatisfaction support thread "Asking for 3rd party passwords" for more.

StockTwits login

3061262427_3775189375.jpg

StockTwits.com asks you to "Login" with your Twitter username and password. StockTwits is not run by Twitter, therefore they are asking you for your username and password to another site.

Twitpic login to twitter

2368324013_0a15d337c0.jpg

Twitpic asks you to enter your Twitter username and password. They are not the same site, nor are they run by the same people or company.

Twitter are your friends on

2110909518_fde956c2ee.jpg

Twitter is a service that many users (including many of us active with microformats) love and adore and use constantly. Plus they implement microformats (e.g. hcard supporting user profiles and hcard xfn supporting friends lists)!

However, we still need to call them out for supporting the third-party password anti-pattern.

As co-authors of Oauth, please Twitter, implement and evangelize that path (perhaps even on that "are your friends on" page), rather than this anti-pattern.

TwitterNotes

2138354357_0c566fd62e.jpg

TwitterNotes asks you to "login with your Twitter account" username and password. They are not the same site, nor are they run by the same people or company.

Join to fix your profile

Some social network sites create public profiles for you without you having any contact with them. If there are any mistakes, they make you join in order to fix them. This sounds like blackmail: Join our service or else we'll continue to publish inaccurate information about you and therefore spam websearch results about you with misinformation.

Spock join to fix

One Unified Social Network

Several companies are trying to build the "one unified social network" (to rule them all) where they own/control the social network, and you're "allowed to" build applications on top of their proprietary platform. The most recent example of this is perhaps Facebook.

This is a bad idea for the same reason you don't see "one universal blogging service".

Other examples of folks walking down this path:

  • Socialstream - a Google sponsored project at CMU. Key quote: "a unified social network that, as a service, provides social data to many other applications". See also references in this Forbes article: Google's Secret Society.
  • ...

The hope is that these services will see the potential upside of providing open user profiles and social networks through social network portability and thus enable syndication of such data, as popular blogging services do.

Requesting All OAuth Permissions

PurpleWifi

PurpleWifi requires that you give it full access to all OAuth permissions of your Twitter Account in order to use their wifi service (which has no need for write access to your Twitter account).

CaUFrJUXEAEQ9zh.jpg

related