Password security

Last year I signed up with Facebook, and the “find friends” page asked me to give them the password to my GMail account so that it could log in as me and look at my list of contacts (address book), then see whether any of those people are already registered. I, however, was disinclined to acquiesce to their request; with my password, they would be able to impersonate me (sending emails on my behalf), intercept incoming emails, and even lock me out of my own account. I’m not saying that the Facebook programmers in particular would necessarily do any of these things, but I prefer to be cautious about handing out that type of information.

This may seem a bit paranoid, but I read an interesting post today at Coding Horror: A Question of Programming Ethics. Basically, somebody wrote a shareware program called “G-Archiver” that will store a backup copy of your GMail messages on your hard drive; in order for this to work, you obviously have to provide your password. However, it turns out that the program was emailing all these passwords back to the programmer. Oops.

In fairness, you need to type your password into your computer somehow if you want to get at your email; this could be through a web browser or a dedicated email application (e.g. Outlook Express). So, you have to make the trade-off: who do you trust? Personally, I’m willing to trust Microsoft applications, although I know that other people disagree. I’m also willing to trust Firefox. However, open source isn’t a panacea; just because something can be read, that doesn’t mean that anyone has actually read it, particularly if it’s obscure. It’s also worth mentioning that the same thing could be done on other platforms (e.g. a Mac); this isn’t a virus, it’s the program doing exactly what it was designed to do.