I’ve always been concerned about the whole “give us your e-mail password and we will tell you which of your friends are registered on our service” thing on social networking sites.  To the point that I refuse to give out the password.  If I give out my password, the sites can do whatever they want with it.  Surely there is a better way!

While I’ve been reading about open standards for such things, today was the first day I actually saw it in practice.  I registered for GoodReads this week.  When clicking on find friends, you see the usual – click yahoo/hotmail/gmail/AOL/facebook/twitter/plaxo.  When clicking you have the option to type your password.  For some, you have an alternate choice.  Marked as “new”.  This alternate choice actually looks secure.

Summary of providers

Walking through gmail

1. Click “Or: sign in directly on Gmail. (new)”
2. Takes to page at a GOOGLE URL saying “The site www.goodreads.com is requesting access to your Google Account for the product(s) listed below.  Google Contacts“
3. Choose “grant access”
4. [do stuff on GoodReads]
5. Optional which I did because I only want to grant one time access – remove GoodReads from accessing my contacts list:
   1. Go to Google Accounts
   2. Click “change authorized websites”
   3. Click “revoke access”

The good

I am giving google my password.  Google already has my gmail password and is just checking it is correct.  I’m not passing it through GoodReads.  Google is also telling me specifically what information they are letting GoodReads see.

The bad

Just because I e-mailed someone once and they are in my Google contact list doesn’t mean I know them.  I also have to trust GoodReads won’t spam all my contacts.  Both of these problems exist with the old “give me your password” method.  I’m willing to accept both of these on a reputable site and not willing to provide a password.  So great progress.