James Lyne
Contributor
I write about security, hacking and malware.
full bio →
Opinions expressed by Forbes Contributors are their own.
Tech 133,060 views
Yahoo Hacked And How To Protect Your Passwords
Comment Now
Yahoo YHOO +0.23% yesterday announced that Yahoo mail
has been the focus of a co-ordinated hack and that at this time it has
confirmed a number of users e-mail accounts have been compromised – you
may be one of them (and if you are see below for my top tips on how to
secure your passwords going forward). It is not clear how many users
have been compromised, or exactly how. Yahoo don’t have a history of
providing much information but it would be prudent for any Yahoo mail
users to take precautions (more on that below). Between the vague
statements about malicious code and “a third party was probably to blame” Yahoo has been resetting the credentials of affected users via e-mail and SMS
if your mobile is on file. Whilst details are scarce at this time this
continues a trend of bad security and resilience news for Yahoo who
experienced a multitude of issues in 2013. The company made clear in
their announcement that a third party database with shared credentials
was likely the source and that they had no evidence the usernames and
passwords were taken directly form their systems. Whether the third
party was one they provided data to, or whether it was a random third
party with shared credentials is not particularly clear. There is
insufficient detail to lay blame at this time, but certainly it would be
prudent to take steps to secure yourself.
Follow Comments
Related on Forbes: 10 Incredibly Simple Things You Can Do To Protect Your Privacy
More broadly, the last couple of years have seen a significant spike in the theft of passwords (or their hashed or encrypted representations) from online services as cyber criminals moved beyond financial information as their sole form of profit. Whilst we all wait with bated breath for further details of the compromise now would be a very good time to upgrade your password. Many providers are very behind the time on password security, but at least you can take steps to minimise the risks. Here are a few tips on how to do it:
- Avoid using the same password across multiple sites and services. That way, if Yahoo credentials are breached hackers won’t be able to jump across in to your Twitter, online banking, work accounts or alike. I know this presents a memory challenge for some users, but see the below tip on password managers.
- Choose a password which is not easy to guess. Words with a dictionary root followed by numerals are very common choices and predictable patterns that cyber criminals can use to crack your password very fast. Passwords should be long, phrase based and involve a balance of different types of characters – numbers, letters, capitols and ideally a few symbols. See my fabulous example below.
- Set up password change/reset mechanisms properly – not obviously. Password reset forms on many services ask questions like “Where did you go to school?” or “In which year were you born?”. These questions are easy to answer and can typically be mined from social media pages or the Internet — why would hackers guess your password if they can just tell a system where you went to school and how old you are (you did after all announce your birthday last year on Twitter and your age, didn’t you?). Instead I suggest lying on the Internet. Come up with a scheme of answers to these questions that you won’t forget (or store securely) or better still, if the service allows, specify your own difficult questions.
- Bigger = better! When passwords are stolen from providers they are typically in a hashed or encrypted form, a bit like this ’5f4dcc3b5aa765d61d8327deb882cf99′. This is a hashed password representation and using clever techniques and computing power attackers can reverse the original password and log in to your account. When they steal these hashes it is only a matter of time and effort until they reveal the original. Short passwords might be guessed in second to minutes or hours (it depends on the implementation), where very long passwords could take years of work (and the cyber criminals are likely to go after someone else). Therefore making your password 60 characters makes life much harder for the cyber criminals if they do manage to break in to a service like Yahoo. This of course all assumes the provider isn’t just storing your password in clear text – in which case you will be very glad of tip number 1!
- Use a password manager. Password managers generate strong unique passwords for each of your services and then store them in an encrypted database which you can unlock with one good master password. It is a reasonable compromise for those that do not have an amazing memory but don’t want to fall in to the pitfall of repeating similar passwords across multiple sites. See below for more information on how this works.
- Register to a breach monitoring service. There are a variety of services on the Internet now which monitor for visible lists of stolen usernames/passwords. Of course, not all breaches are visible so it is far from a complete list. That said, if your username shows up it will e-mail you a notification and tell you it is time to change.
A password recipe for a new password courtesy of 1Password for Mac OS XFollow me on Twitter @jameslyne
end quote from:
here
