Yahoo's (and Your) Lesson in Proper Passwords
Don’t look now, but your Yahoo password may be in the public domain. A hacker group known as D33D has posted some 450,000 Yahoo loginsfor the world to download. I won’t tell you where to find them; I am sure you can figure that out all by yourself.
The hack affected Yahoo Voices, a crappy content mill, not to be confused with Yahoo Voice, a crappy IP telephony service. Voices (plural) started out life as Associated Content, known around these parts as the Evil Dung Heap of the InterWebs. Yahoo Voices is a Web site for people who desperately want to be published authors, as well as for publishers who desperately want to avoid paying actual authors a living wage.
So forgive me if I am feeling a bit churlish over this breach. The first question that comes to mind is, does anyone still use Yahoo? Really? Why?
- How to determine if your LinkedIn password has been compromised
- How to select a password management system
The second question: Why did you contribute to Associated Content/Yahoo Voices? If you wanted to do something evil, couldn’t you have just strangled a puppy?
Because the logins were stored entirely unencrypted in plain text (friggin' eedjits), and hackers posted them without any kind of redaction (friggin' a**holes), they’re open for all kinds of fun analysis. CNET’s Declan McCullagh, clearly enjoying a slow news day, wrote a program to analyze the passwords for patterns. Among his many conclusions:
The word password was used as a password 780 times, not including the 233 times it was used in conjunction with a number, such as 123password.
The word welcome was used 437 times. Hey, Yahoo Voices users are nothing if not friendly.
The word freedom and the other somewhat more NSFW f-word were both employed exactly 161 times. Draw your own conclusions there.
Other popular password terms included ninja (333 times), baseball (133), superman (106) and starwars (52). Given the quality of content generated by most Associated/Yahoo Voice contributors, it comes as no surprise that many are teenagers.
The most common password combo, used nearly 2300 times, was a sequential series of numbers, such as 123456.
The real danger here is a) whether your name and password were among those leaked, and b) if you used the same ones for more important Web sites, such as your bank or Paypal. (If so, change them now. I’ll wait.) Otherwise, this is mostly a cautionary tale.
Like the LinkedIn/eHarmony password breach last month, the Yahoo hack underscores a basic fact of our increasingly connected lives: Passwords suck. They are an extremely lame way to protect anything of importance. There are too many of them and they are too hard to remember, which is why most of us pick simple ones and recycle them. If an attacker has figured out your email login, he or she can pretty much obtain any password you use by using the most common option to recover or change your passwords – making the whole system moot. And while cloud services exist to remember your passwords for you, they have their own problems as well.
So, like I said, passwords suck. Two factor authentication is slightly better, but only just. These days that usually takes the form of a service texting a PIN to your phone, which you then enter into a Web site.
We need a better system. The one that comes to mind, though imperfect in many respects, involves some form of biometrics: fingerprints, eye scans, voice recognition, etc. But that would require a sacrifice many Netizens are unwilling to make: the loss of Web anonymity, the locking down of our identities online.
In the meantime, do what I do: Pick your spots. Make sure your important passwords -- the ones that would really hurt you if they got out, like your banking login -- are inscrutable. Make sure your email login is also inscrutable, for the reasons noted above. And as for the rest? 123456password is as good as any. Because do you really care if people can access your Yahoo Voices account? Really?
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.
Now read this: