Ask HN: How many of you willing to give gmail/yahoo info to expand the network
The question I have is: We want to have a sign-up page, where we will allow user to "create an username" and next step will be to enter thier gmail/yahoo username/pass(we wont store and we will say that) to fetch thier contacts so the user can know who is already using our service. The user if wishes can skip this step.
Initially, we were thinking of using openid and remove the "create username" step. But we thought not many people may remember thier openid. Another alternative was that they could sign in using thier yahoo/gmail account.
But the problem is it would be frusttrating for the user to once give us their gmail info to signup(i.e just creating the username) and then again to fetch the contacts(to see which of their contacts is using our service). Also many users may just want to checkout the services without expanding the network, so combining the above steps into one signon wouldn't also make sense, right? So we thought we should be going the usual "create username" route.
My questions are:
1. Do you think asking user to create a username would be a big hassle when compared to entering thier gmail id twice. What do you think?
2. My second question is more of what you would normally do. Normally will users give thier username/pass to a not-so-popular website? Lots of websites like stubleupon,linkedin,FB do this.
3.Also when checking out a new service, would you just want to create an username to check it out or also will you take the extra step to discover which of your friends are using? If they are not using, normally are you ok to send an invite. This sort of seems wierd, bcos you are just signing up, it would make sense for you to invite your friends without knowing if its good?
16 comments
[ 3.8 ms ] story [ 63.5 ms ] threadI wouldn't.
edit
It's worth noting to answer one of your questions: I don't follow my friends around to every new site that pops up. Primarily because only 10% of my friends are technically savvy enough to the point where I would actually use the word "Twitter" around them. I've found this is becoming increasingly more and more the case, we're establishing connections with like minded people online, and isolating ourselves to a certain extent when it comes to who among our friends knows their two cents about social content.
That said, if I create an account on a site "just to test it out", I'll probably use my dummy email account in the first place partially out of habit, and partially to gather any extraneous crap that may get dumped in the inbox anyway.
I've never tried it, but as I understand it, this is the right (and safe) way to get this information.
My guess is that you get an email from Google saying that some application has requested your contact info, along with a link to click in order to allow or forbid it.
edit
A quick look at the documentation describes two ways of getting informations for a Gmail account, either with login+password or using what they call AuthSub Proxy Identification: http://code.google.com/apis/accounts/docs/AuthForWebApps.htm...
The application requests access to the account and gets an authentication token, which can be used to get user information once it's been validated either by login/pass or by the user.
which do you think is better for you(and normal not so tech savvy users)?
Otherwise you're just another phisher.
"Normal" users don't care. But they'll learn and eventually expect the conventions that we establish. So let's establish conventions that are valuable.
I'm not the only one who feels this way. Take a look at this, for a start: http://www.codinghorror.com/blog/archives/001128.html
If your social networking idea depends on this, start again.
Despite the Facebook Beacon blowup in the blog echo chamber, very few users cared:
http://www.sawickipedia.com/blog/2007/12/05/facebook-bites-t...
So, sure! People who read CodingHorror are concerned about the security issues... but how many of your users even know what the hell CodingHorror is?
If your social network is focused on people who might have heard of CodingHorror, you might want to have second thoughts. If not, keep it secure and be careful about your implementation. Personally, if I trust a site then I'll use the address book import if provided.
EDIT: Like mentioned above, definitely use Google's actual tool to do the import:
http://code.google.com/apis/contacts/
If the topic being debated was about the blog in it's entirety and why Jeff Atwood writes it, you might have an argument here, but considering two people pointed to a blog entry I'm going to disagree wholeheartedly with everything you just said.
The article makes a VERY good point that some folks very often use their email password as the de facto password throughout the Internet. Just because someone comes along and eloquently it's a bad practice doesn't mean people are automatically NOT going to do it, and immediately become more informed to privacy and security concerns.
And even for people who don't use the same password, they just as easily don't want this information just flying across a random connection string for the sake of seeing what your "friends" are up to on this new socially-capable website.
It's not about "Who reads this random arsed blog" any more than it is keeping in mind every avenue of user interaction that will occur on your site, and being accountable for how you use data given to you.
Your duty, as a provider of web services, is to be far MORE concerned with your users' privacy than they are themselves. You know about these things; they don't. They're trusting you.
So do the right thing. Don't add to the problem. Don't add to the list of sites that subtly enforce the very false notion that it's safe to share your email credentials.
It's a bad idea even if you do trust the site to be careful. Every site that has my email credentials, even for a moment, is another potential failure point of the worst kind. Steal my twitter login, fine. You post some garbage, and I have to clean up a mess. Steal my email, and I'm left broke and fighting with credit bureaus to clean up my reputation for 7 years.
Most users don't care about these things. But the fact that about 100% of savvy web professionals are very concerned by this should give you pause before asking for email credentials on your site. Even if you're 100% careful with the info, you're helping the next guy make the case that it's ok ("everyone does it"), and he might not be so careful.
Users remember their OpenIDs. Use the discovery mechanisms built into the spec to do the hard part for them.
Check out the RESTful apis being built as part of the OpenSocial specification. If they can tell you what network they're a part of that supports OpenSocial (Google, MySpace, hi5, Plaxo, and soon, Yahoo) then you'll be able to kick off an OAuth process that ends in them giving you permission to fetch their friendlist.
But their email username and password? Don't ever do it.
We're past that stage now. It's no longer state of the art, and it's dangerous enough that it ought to be considered harmful by all responsible adults.
However, while you're at it, why not ask people for their facebooks/myspace credentials? You'll find many more "friends" there than in my email contacts, plus facebook is far less sensitive privacy-wise. If someone got hold of my credentials, the maximum they could do is deface my profile and send some stupid messages to friends. If they got hold of my gmail account, they could access almost every other account that I have through "forgot your password" links...
Not that I'd actually give you my facebook credentials though :)
Those sites that want your passwords have not figured out a decent solution to the problem. That's an opportunity. Do something better.