I've been researching scripts that will allow me to import "contact lists" from various webmail and social sites, so they can be added to my own app. You've seen them before: you're in a place where you can assemble a list of contacts or friends, and there's an option to "Import" them from Outlook, Gmail, Hotmail, etc. No matter what list you're trying to import, the form looks similar: the form asks the user for a name/password, and my script will log in to yahoo/hotmail/gmail/facebook/hi5 etc, grab whatever data I need, and plunk it into my database. How convenient! How slick! How useful!

In my research I've found a few good PHP scripts, a couple of .NET examples, and ... a disturbing few 3rd party services that will do this FOR YOU, i.e. they offer to act as a contact-importing gateway, hosted on their servers, totally free.

I'll admit I haven't tried any of these services, even with the fleet of fake identities I set up just for this research. I just know it is a *very* bad idea to use a 3rd party for importing addresses, and as a conscientious webmaster, I won't go near it.

For one thing, they'll be asking your customers/users for their email passwords, so their script can sign into their account and grab this personal information their behalf. It's no different from giving a stranger your email password, and inviting them to read your mail any time they wish. When you import contact lists from a webmail account, that account's security is compromized until the password is changed, which naturally wouldn't happen until it's too late and the damage is done.

How many people do you think would use the same name/password for their email and for their online banking? Is it conceivable that someone with a webmail account might use identical information at eBay, PayPal, Hotmail, Yahoo, Google, Amazon, etc? It's more than conceivable, it's typical behavior. Crack someone's webmail account, and you're likely to be able to use that password for a few other interesting things.

Scarier still, someone with your webmail password essentially becomes you, can change your password and lock you out, and begin doing all sorts of things on your behalf. Sending mail to your friends. Spamming. Buying things. Closing accounts. Forging identities. Being able to verify a double-opt-in service in someone else's name can be very profitable.

So. When you offer a feature like importing webmail contacts, you are asking the user to trust you with very sensitive information. Serve and respect your users by not betraying that trust to an unknown provider. If you "trick" someone into cracking their hotmail open for a hacker to steal personal information because they thought they could trust you, you've got to consider potential liability when their bank account is cleaned out the next day.

Sites that allow a user to import contacts from webmail are leveraging trust to ask their users to divulge very sensitive information. If you use another's service to do this, can you guarantee that they aren't phishing?

Tip: use a unique password for every online service. Get a notebook to write them down, and lock it up somewhere very secure. Or consider this: some smart netizens surf using an algorithm that is easy to do in their head, like pwd=Fn(domain) where domain is "Amazon" or "Hotmail", and Fn() is a tricky algoritm like pig latin with a personal twist. But don't use pig latin, that's too easy. Come up with a sneaky way to screw up a word into jumbled characters that you can easily remember and reproduce. Never tell a soul. Then all your passwords will be unique and - hopefully - unguessable! Write down the password trick, seal it in an impenetrable cryptex and hide it somewhere utterly confounding. Leave geocaching directions to find the cryptex in your Last Will and Testament, so when you die your heirs and executors will have a fun adventure finding and unlocking your accounts!