Probably everybody encountered this in the past: the need to register somewhere to view content or order something. Normally everybody is willing to open an account and provide profile details to do so. But there are times when people start to think “I don’t want to post my real data and actual email address here.” and either provide a fake (could be real shadow mailbox) email address or decide upon entering the real thing.
It happened to me a short while ago. I wanted to view some profiles on Carview but was hesitating if I should enter my real credentials. In the end I decided to do so and provided my real email address. Then the problem of activation made me frown on this subject again. Why do I need to activate myself through an email which is ending up in my junk mail anyway?
At work we ended into a discussion about this subject because we need to do profiling on some of our portals as well. The discussion was mainly if a profile should be unique on email address.
Why do we seek email addresses?
In the early days of the Internet an email address was hard to get. Normally providers would provide you with an address. I can still remember using the “free” dialup at the VPRO and thus not having an email address. Same happened to many people visiting cyberbars in the early days.
Back then anyone could enter things in contact forms, forums and other services without checking if the person actually existed. Of course a lot of these services were spammed and people started to get irritated.
So, if an email address is hard to get we would know for sure that we have a real person here who really takes care of their email address he/she will activate the account through a link inside an email. So we have both authentication and authorization here: we authorize this person because we know that we have a single person here and we authorize the existence of the person because he/she clicks on the activation link. You can see it as some sort of Turing-test.
But I can open ten free hotmail accounts if I want to!
A lot of people assume that asking for an email address solves the problem of multiple accounts because you simply don’t allow double addresses. After free email services like Hotmail and Gmail started anyone could open several accounts at the same time.
Besides that it became easier to start and play your own provider: just register a domain and install your own mail server and you’re all set!
Of course spammers started using this method as well started automating this. Everybody has seen spam on blogs, fora and other media. Most of this is done automated with either freely registered email addresses or through own domains (cachette.com for instance).
Why not make use of a captcha then?
Well, the captcha was invented to do the Turing-test and ask the user to provide an answer to a simple question, for instance a sentence in to only a real human readable letters. It works and it keeps most spammers away but it doesn’t solve the problem: hire cheap labor or reward other people solving Captchas and you’re set. Besides that: to the normal user Captchas are annoying since most of them are unreadable or not solvable.
Since currently the Captcha is widely spread and almost everybody uses it, it becomes more and more interesting to crack Captchas. Escpecially Hotmail and GMail Captchas are interesting to crack since it gives access to free email accounts. Spammers are starting to get more and more sophisticated and are able to crack multiple Captchas every second, so the Captcha is not safe anymore!
What has it all to do with email addresses then?
Well, let’s get back to the basics then: why do we need an email address?
Certainly not anymore for performing a Turing-test. Anyone could script the activation through email, or just buy cheap labor to do this.
Maybe we should ask ourselves: do we need to send emails to the users?
Well, most of the time when I provide my email address I make sure it is not set to “receive newsletters”. Let’s be honest: newsletter suck, I never read them anyway.
When looking at my forum I only need an email address to send notifications to users when they receive a PM or when they set “notify me on replies on this topic”. So that’s only when a user specifically wishes to receive emails. Of course I currently ask them to provide an email address to do the Turing-test and see if they really exist and at the same time I also ask them to provide a Captcha: that’s a double Turing-test!
I really wonder if it would be better to just skip the whole email hassle, be more user friendly and only ask them to prove an email address if they really wish to receive emails. And why do both? The Captcha is annoying to users and most automated emails get lost in junk mail filters. Why not use only a user friendly Captcha, like asking alternating open questions like What is the color of the sun? instead? Of course everybody knows that the Sun is blue! :P
What about password reminder emails then?
Well, that’s one of the problems… It is considered more secure to send a password reminder (uhm, changed password actually!) than ask some “I forgot my password” question which anyone can guess!
Of course: when I hijack your email account with the stupid “forgot my password” question I have access to all your profiles anyway. Go to each of the profile services and ask for a password reminder and presto: I’m in!
However I don’t really have anything better than sending password reminders to email addresses. This is one of the weak points of my ranting. :(
But what’s that got to do with me?
Well, I’ve changed the Comment section of my blog to not requiring to enter an email addres and asking a user friendly (not always alternating) question. I don’t have the need of verifying your email address or sending you password reminders… ;)
