Chip's Technical Blog

Tech commentary of thoughts, challenges, how-to's, and the mundane.

Validating email addresses

As an early user of gmail, I was able to select precisely the username I wanted, ckillian, which is a very common username for people whose first name starts with ‘C’ and whose last name is Killian. Unfortunately, as often goes for popular shared services, there are many gmail users who fit those parameters. By itself, that wouldn’t be a problem, except that on occasion, these other gmail users seem to forget that ckillian is not their email address. They will use it to buy tickets on ticketmaster, place beach house reservations, setup ipod accounts, request proprietary recipes from companies, purchase items from websites, and, most recently, even to use it to purchase online postage from the USPS.

The “best” part is when users are so convinced it is their address that they go through Google’s password recovery system to try to get my password. This has happened 3 times so far. (I know, because Google sends me a link to my email addresses to follow if I want to proceed in resetting my password.) One truly intelligent user, after going through the password change system and failing, actually sent me an email asking if I would forward the information to her, which I was happy to do (on a temporary basis).

I recognize that for the users, this is generally an honest mistake (I get these receipts for a CXXXX Killian, and what’s obvious to me is that ckillian is there username for some other things, and they just got mixed up while entering the email address). When I get such receipts, responses, etc., if there is a phone number listed for the user, I often make the attempt to phone them to let them know of their mistake. But more often than not, there is no method shown to contact them with. In these cases, I have two options: (1) ignore it, and hope I don’t get stuck on some mailing list, or (2) contact the seller/sender and let them know they are sending information to the wrong party. Some vendors handle this well — the Apple store took care of it without hassle. Others, like the USPS, take some convincing (at first they thought I was trying to commit fraud). And then there are those like Ticketmaster, who I have simply given up on, because I can’t seem to get them to stop sending me junk even when I did setup the account (and diligently unchecked the boxes so I would not receive the junk).

This represents a fairly significant issue though, because for many of these services and sites, by going through a forgotten password dialog, I could have the password reset and emailed to my account, giving me access to their information and account, and possibly other information such as credit cards, or perhaps just the ability to purchase things using their credit cards.

And what frustrates me the most is that most of these sites have set up a kind of account based on this email address, without validating that the new user actually has access to the email address. It’s one thing if you simply mistype an email and as a result a single receipt goes to the wrong email address. It’s yet another if you are saving state for the user under this email address without validating it. Most websites form of validation is just to have the user type it twice. But we should know by now that user data cannot be trusted, and if we are going to store that kind of information, we really should validate the email address.

And it’s not even that hard to do so—mailing lists do this all the time. When you subscribe, they send you an email for you to prove you have received before allowing your subscription to proceed. All sites creating accounts should do the same. I would much rather have gotten an email from the USPS telling me to validate someone else’s account (which I would not have) than gotten a receipt for a delivery confirmation postage for a particular person.

So to those of you developing websites which create accounts for email addresses — please, please, please validate these email addresses before storing them!

Leave a Reply

Chip's Technical Blog is proudly powered by WordPress
Entries (RSS) and Comments (RSS).