Facebook and Yahoo Find a New Way to Save the Web’s Lost Email Addresses


email

Getty Images



When Yahoo proposed a plan to reuse mothballed email addresses, a lot of people didn’t like it. WIRED’s Mat Honan called it a “very bad idea,” and with good reason.


The problem is that email addresses are used for password recovery on sites across the web. Let’s say that, a decade ago, I signed up for Facebook using bob@yahoo.com as my email address, and that became a way of recovering my Facebook password. If I then stopped using Yahoo, a scammer could wait until bob@yahoo.com became available and then simply take over my Facebook account.


But Facebook and Yahoo are now offering a solution to this problem, making new use of the internet’s email protocol, known as Simple Mail Transfer Protocol, or SMTP. They’ve written software that lets Facebook timestamp its password recovery messages, showing the date they last confirmed that the Yahoo address was legit. If the account has changed hands since then, Facebook simply drops the message. That stops password resets from falling into the wrong hands.


This could finally free up so many of the email addresses that have been left unused not only at Yahoo, but at other online email providers, including Google and Microsoft. The trick is that websites—sites like Facebook that handle password recovery—need to adopt this standard for it to be truly effective. We expect that banks and other security minded institutions will jump on board, but no doubt, there will be sites that don’t. And former Yahoo users will probably learn about them the hard way.


Facebook and Yahoo have already written their reset-checking software, but they’ve also submitted their protocol as a potential extension to the way that SMTP works. They’ve given it the snappy name RRVS (Require-Recipient-Valid-Since). Expect to see it on geek t-shirts soon.



No comments:

Post a Comment