Tim,

This is a fairly common thing these days, unfortunately, as sites like WAYN.com, Hi5.com and Facebook.com offer this functionality. Now most of them make the statement that they don't store your password... they use it then and then discard it... For this however, you have to trust the company.

What I find scarier than the password itself is what they do with the email address. Something more people are being smart about is having a "spam" account... An account where just their spam is sent and they use that when signing up for random websites. These sites that offer to invite your contacts are responding with the same intelligence. You may sign up with a "spam account" but now they are offering to invite your friends by parsing your hotmail, yahoo, gmail and other online webmail address books. When you provide them the password, you are also providing them with the email address to your previously spam free account. If signup address != tell contacts address, they've found a gold mine of information to resell.

This also gets them around their privacy policy, since most promise not to resell your account and profile information. These "tell a friend" email addresses don't fall into that category.

That being said, I do find these "tell a friend by letting us parse your contact list" options convenient and I am guilty myself of using them from time to time. When I do though, I limit the account to a single one that has all my contacts in it, that I don't use for daily email and that has a unique password. If I'm joining a social networking website, letting 150 or 200 contacts know is a slow process... this definitely speeds it up.

Even LinkedIn.com offers this service... a website that's supposed to be dedicated to professionals. I think that "Don't use it" is the proper message... I think that "be safe when using it" is the right message to send.

I can't say I agree with you Tyler. Using a separate account might be a decent strategy, but you still have companies actively encouraging users to hand out their passwords. Given how common password re-use is, it's just plain scary.

A better bet would be common 'share your contacts' function within the webmail apps. As along as users are happy to hand over their passwords, however, there's no motivation to move to a more secure method.

Ah Tyler, I was once like you, trying to keep a "real" email address and using others in public. DNS A records pointing at *.domain.tld are fun for that, as are wildcard email aliases. But how can you be that careful with your account and submit your 150-200 contacts' potentially "real" emails to third parties?

Ultimately though, it's more hassle than it's worth when, at the end of the day, I'm going to want to check my public email anyhow. Instead, the combination of DSPAM and greylisting works amazingly well for me. For personal email, it really is simplest and most effective to use hotmail, gmail or similar as they host enough mail to be able to identify spam with a much higher degree of accuracy than you or I simply because of the amount of information available to them.

Generally, I think that email alone should not be taken seriously until there is better verification of user identity. My bank doesn't, nor does any bank I'm aware of, conduct transactions via email. I won't do anything serious without better confirmation than an email---I might mortgage my house and send a wire transfer to the account of a dear friend in some dire need, but I wouldn't do that based on an email. THAT is the message that the public needs: email, itself, is not serious authentication.

If everyone agrees on that, is it such a big deal that Mark at Facebook can write email as if you sent it? And reading it, is your relationship or life going to really be that much worse off because someone you'll never know reads some personal detail or another? With techniques above, are you really going to get more spam?

So it doesn't matter. And, on top of that, do you have that much protection already?

Right now, if I rewrite my From: header and the envelope sender, are you going to believe me? How ludicrous does my email have to be before you read my header and find out that the scary message didn't come from anything like your expected sender's IP but instead an outside one? Do you tunnel your IM accounts every time you use unencrypted wifi? etc.

Heh, of course all that is utterly wrong. You want as much security and privacy as you can get if it doesn't cost you too much convenience to get it and our collective imagination is the only limit to the reasons why. For example:

Lets say I'm in, oh, Nigeria, have carved out an email scam empire and am looking to be more sophisticated and more profitable. Maybe I decide I want to do extortion: steal as much email/conversation data as I can through browser vulnerabilities, wifi, etc. etc. etc. and have lots of people and algorithms looking for common things that people might not want posted variously on the web in conjunction with their name and address and enough context from the email or conversation to make it believably them.

Google indexes it all, and people search other people's names/cities often enough to make the threat credible. Or they could just, oh, threaten email it to your whole contact list that you gave them the password for the express purpose of accessing in the first place?

The barrier of entry to the "ad-financed social networking thing" business model is pretty low. What if such a person is behind the web-toy-de-jour? What if they are patiently collecting a massive database of everyone's little offhand remarks? Anything you'd pay $5000 to keep from being sent to your SO? What about $50? Maybe you want to be careful with that email after all...