I wouldn't.

edit

It's worth noting to answer one of your questions: I don't follow my friends around to every new site that pops up. Primarily because only 10% of my friends are technically savvy enough to the point where I would actually use the word "Twitter" around them. I've found this is becoming increasingly more and more the case, we're establishing connections with like minded people online, and isolating ourselves to a certain extent when it comes to who among our friends knows their two cents about social content.

That said, if I create an account on a site "just to test it out", I'll probably use my dummy email account in the first place partially out of habit, and partially to gather any extraneous crap that may get dumped in the inbox anyway.

I've never tried it, but as I understand it, this is the right (and safe) way to get this information.

My guess is that you get an email from Google saying that some application has requested your contact info, along with a link to click in order to allow or forbid it.

edit

A quick look at the documentation describes two ways of getting informations for a Gmail account, either with login+password or using what they call AuthSub Proxy Identification: http://code.google.com/apis/accounts/docs/AuthForWebApps.htm...

The application requests access to the account and gets an authentication token, which can be used to get user information once it's been validated either by login/pass or by the user.

Otherwise you're just another phisher.

"Normal" users don't care. But they'll learn and eventually expect the conventions that we establish. So let's establish conventions that are valuable.

Despite the Facebook Beacon blowup in the blog echo chamber, very few users cared:

http://www.sawickipedia.com/blog/2007/12/05/facebook-bites-t...

So, sure! People who read CodingHorror are concerned about the security issues... but how many of your users even know what the hell CodingHorror is?

If your social network is focused on people who might have heard of CodingHorror, you might want to have second thoughts. If not, keep it secure and be careful about your implementation. Personally, if I trust a site then I'll use the address book import if provided.

EDIT: Like mentioned above, definitely use Google's actual tool to do the import:

http://code.google.com/apis/contacts/

Your duty, as a provider of web services, is to be far MORE concerned with your users' privacy than they are themselves. You know about these things; they don't. They're trusting you.

So do the right thing. Don't add to the problem. Don't add to the list of sites that subtly enforce the very false notion that it's safe to share your email credentials.

It's a bad idea even if you do trust the site to be careful. Every site that has my email credentials, even for a moment, is another potential failure point of the worst kind. Steal my twitter login, fine. You post some garbage, and I have to clean up a mess. Steal my email, and I'm left broke and fighting with credit bureaus to clean up my reputation for 7 years.

Most users don't care about these things. But the fact that about 100% of savvy web professionals are very concerned by this should give you pause before asking for email credentials on your site. Even if you're 100% careful with the info, you're helping the next guy make the case that it's ok ("everyone does it"), and he might not be so careful.

If the topic being debated was about the blog in it's entirety and why Jeff Atwood writes it, you might have an argument here, but considering two people pointed to a blog entry I'm going to disagree wholeheartedly with everything you just said.

The article makes a VERY good point that some folks very often use their email password as the de facto password throughout the Internet. Just because someone comes along and eloquently it's a bad practice doesn't mean people are automatically NOT going to do it, and immediately become more informed to privacy and security concerns.

And even for people who don't use the same password, they just as easily don't want this information just flying across a random connection string for the sake of seeing what your "friends" are up to on this new socially-capable website.

It's not about "Who reads this random arsed blog" any more than it is keeping in mind every avenue of user interaction that will occur on your site, and being accountable for how you use data given to you.

However, while you're at it, why not ask people for their facebooks/myspace credentials? You'll find many more "friends" there than in my email contacts, plus facebook is far less sensitive privacy-wise. If someone got hold of my credentials, the maximum they could do is deface my profile and send some stupid messages to friends. If they got hold of my gmail account, they could access almost every other account that I have through "forgot your password" links...

Not that I'd actually give you my facebook credentials though :)

I'm not the only one who feels this way. Take a look at this, for a start: http://www.codinghorror.com/blog/archives/001128.html

If your social networking idea depends on this, start again.

Users remember their OpenIDs. Use the discovery mechanisms built into the spec to do the hard part for them.

Check out the RESTful apis being built as part of the OpenSocial specification. If they can tell you what network they're a part of that supports OpenSocial (Google, MySpace, hi5, Plaxo, and soon, Yahoo) then you'll be able to kick off an OAuth process that ends in them giving you permission to fetch their friendlist.

But their email username and password? Don't ever do it.

We're past that stage now. It's no longer state of the art, and it's dangerous enough that it ought to be considered harmful by all responsible adults.

Those sites that want your passwords have not figured out a decent solution to the problem. That's an opportunity. Do something better.