Hacker News new | past | comments | ask | show | jobs | submit login

Ignoring their recent fail at logging passwords.

It has been established as minimal practice, that NO ONE should be asking you about your password. If this would become a normal, it would also make regular people more likely to give out their passwords.

And email is key to your online kingdom, so it's a big deal, if it gets compromised.




At the very least, your mail client has to ask you for your email password. Might sound like I'm splitting hairs but I don't think most users have a strong sense of why that's different from Facebook doing it. And with wizzy online features crammed into more and more desktop software (seen Photoshop lately?) you can't really fault them for it.


Your mail client isn't a company, that's not the same.

You're right that the wording is important, and we do a bad job explaining what passwords actually mean, and how to treat them. A simpler analogy: Don't give your house keys to strangers, McDonald's has no business asking you for your keys to confirm your order.

I don't think users need to understand why, they just need to understand what to do / not to do. I've taught my mother to never give anybody her passwords, not even me, and if anyone asks her for her password to call me. She's mildly annoyed when I'm helping her with something and I tell her to please input her password, but she's gotten used to it. Did it work? It did. The representatives for a car sharing company were poorly trained and asked her to write her email and her password into a form. She refused, walked out and called me because she was worried that they were trying to get into her bank account. Turns out they wanted her to choose a password for their service, and were just very bad at wording it (and had the terrible idea to have customers hand-write it into a form and let somebody transcribe it into the computer system) and the guys working in the office had only been handed a script, they didn't actually know what information they were supposed to get. I'm certain that they accidentally harvested a good number of valid email/password combinations since it's a leading company that is owned by a major car manufacturer and has a good reputation.


Especially when most users are probably using the same password for both, or are just warming up to the concept that you shouldn’t do that.


This is security by "no one should be asking for your password". The responsibility is with the user and they need to be taught "you must not disclose your password to just anyone who asks for it".


And having well-known entities ask for people's passwords normalizes such behavior and teaches users that this is normal and OK to do.


Does it really? It is wrong and the users need to know it.


Yeah, thanks facebook for doing all the wrong things so that users can have a clear example of what is wrong! (only half joking)


And how is Facebook explaining to users what they need to know?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: