Facebook and Yahoo Find a New Way to Save the Web's Lost ...

The problem is that email addresses are used for password recovery on sites across the web. Let's say that, a decade ago, I signed up for ... SkiptomaincontentBackchannelBusinessCultureGearIdeasScienceSecurityPodcastsVideoArtificialIntelligenceClimateGamesNewslettersMagazineEventsWiredInsiderCouponsWhenYahooproposedaplantoreusemothballedemailaddresses,alotofpeopledidn'tlikeit.WIRED'sMatHonancalledita"verybadidea,"andwithgoodreason.Theproblemisthatemailaddressesareusedforpasswordrecoveryonsitesacrosstheweb.Let'ssaythat,adecadeago,[email protected],andthatbecameawayofrecoveringmyFacebookpassword.IfIthenstoppedusingYahoo,ascammercouldwaituntilbob@yahoo.combecameavailableandthensimplytakeovermyFacebookaccount.ButFacebookandYahooarenowofferingasolutiontothisproblem,makingnewuseoftheinternet'semailprotocol,knownasSimpleMailTransferProtocol,orSMTP.They'vewrittensoftwarethatletsFacebooktimestampitspasswordrecoverymessages,showingthedatetheylastconfirmedthattheYahooaddresswaslegit.Iftheaccounthaschangedhandssincethen,Facebooksimplydropsthemessage.Thatstopspasswordresetsfromfallingintothewronghands.ThiscouldfinallyfreeupsomanyoftheemailaddressesthathavebeenleftunusednotonlyatYahoo,butatotheronlineemailproviders,includingGoogleandMicrosoft.Thetrickisthatwebsites---siteslikeFacebookthathandlepasswordrecovery---needtoadoptthisstandardforittobetrulyeffective.Weexpectthatbanksandothersecuritymindedinstitutionswilljumponboard,butnodoubt,therewillbesitesthatdon't.AndformerYahoouserswillprobablylearnaboutthemthehardway.FacebookandYahoohavealreadywrittentheirreset-checkingsoftware,butthey'vealsosubmittedtheirprotocolasapotentialextensiontothewaythatSMTPworks.They'vegivenitthesnappynameRRVS(Require-Recipient-Valid-Since).Expecttoseeitongeekt-shirtssoon.RobertMcMillancoversthecomplextechnologiesthatrunbehindthescenestomakeyourmobileappsdocoolthings.Sendhimatipatrobert_mcmillan@wired.comSeniorWriterTwitterTopicsEnterprise