Thursday, August 28, 2008

GMail + Address - Why Duplicated Logic Is Still A Bad Idea

If you use GMail, you probably already know that you have an infinite number of addresses with a single account. You can add periods wherever you like in the address. You can also add tags to the address using the '+' symbol. So, foobar@gmail.com, foo.bar@gmail.com, fo.obar+baz@gmail.com all go to the same place.

I like using the '+' tags when giving out my email to automated systems and signups. This makes it easy to determine if someone is handing out my address for spam when I haven't agreed to that.

Here's the duplicated logic part:

So, a while back I activated a subscription for MSDN. I used my.address+msdn@gmail.com for the email address. Today, I needeed to download something, and I went to login again, and the system is behaving like I don't remember the password. This is possible, but unlikely since the passwords that I tend to use (1) I remember, and (2) fit most all password schemes. However, I conceded that, perhaps, I don't remember the password. When I go to enter the email address for password retrieval, I get a validation error stating that the email address that I entered is malformed. Funny, MSDN didn't have any trouble sending the email to that address. I tried with the +msdn, and of course, that yielded a validation error stating that the email address was not in the system.

And, yes, I did go back to the confirmation email, and they DID send it to the ...+msdn@gmail.com address. So, that is, in fact, the address that I registered with.

It's obvious what's going on here. The registration site gleefully accepted an email address that the password retrieval site refuses to accept as a well-formed address. The logic for what constitutes an email address has been duplicated. Perhaps at some point they were the same. The registration site may have been "enhanced" to allow the '+' addresses, or perhaps the lost password site was "fixed" to only allow certain formats of email address. Regardless, it now rests as one system with different rules for what is and is not valid.

Furthermore, this leads me to suspect that the login site actually shares the same rules with the lost password site. Meaning, I was able to register with an email address that I cannot login with.

Looks like I'll have to talk with a human to get this sorted out tomorrow. Figures that I would find it thirty minutes after everyone goes home.