On July 12th 2012, Yahoo confirmed that a large number of passwords originating at its Associated Content site were leaked.
If you ever used Yahoo Voices (formerly known as Associated Content), you should check to see if you were affected, particularly if you have a habit of using the same username/email and password combination on multiple sites.
Even if you never used Yahoo or Associated Content, your customers might have. If you have online systems that your customer access, this might affect your customers and your internal systems, so please read on.
Were you or your customers affected?
To see if your username or email is on the leaked list, visit http://dazzlepod.com/yahoo/ and enter the login you used at Yahoo or Associated Content.
If your login name is on the list of leaked logins, it will be shown at the bottom of the page – without showing your password, of course. If it’s there, you need to change your password and more importantly, you need to change your password on every site that uses that combination of username and password.
Need new passwords?
When I need high-complexity passwords, I use the GRC Password Generator, which randomly generates complex passwords with each visit.
To test the strength of each password you chose to replace the leaked one, you can use GRC’s Password Haystack, which analyzes the complexity of your password vs. the brute force computing time estimated to try enough combinations to find a match.
An interesting sidebar to the Haystacks password complexity analysis is this XKCD passwords cartoon. The XKDC password fares quite well on the haystack test, while remaining easy to memorize.
What about my customers?
If your customers have online accounts that match a login on the leaked Yahoo login list, you should disable them and contact your customers with instructions explaining how to update their passwords.
Feel free to point them at this piece to explain the situation. Doing this before a problem develops is good, proactive customer service to help them protect their accounts (and possibly your business) from fraud.
Lessons your small business can learn from this breach
These lessons apply both to the login/password pairs you use and those your systems might store for your clients.
Strategies that will help keep your small business safer:
- Don’t use the same password on multiple sites, otherwise one successful effort to get your password means the criminal could gain access to more than one of your online services/accounts.
- Don’t store passwords in plain text. Hash them. Hashing is, in simple terms, a one-way form of encryption. A password string can be converted to a hash string for storage, but hashing techniques create a hash that cannot be converted back to the password. A staffer with access to the hash can’t use it to access a client’s account. Question is…how’d they get the hash and what else can they get to?
- Have your IT staff salt your passwords (ie: add a random character to them) before hashing them for storage.
- Change your passwords frequently. Many of the login/password pairs in this breach were quite old and from inactive Associated Content accounts, yet they still worked on numerous sites, judging from the number of accounts disabled by Google and other vendors.
- Don’t write the passwords on Post-It Notes and stick them to your monitor in a public place (like your workplace).
Read this Information Week piece for additional discussion on lessons to learn from the Yahoo password breach.
How do I manage all these passwords?
By now, with advice like “change your passwords frequently” and “don’t use the same password for multiple sites” swimming in your head along with the thought of how many different accounts you have, you’re probably wondering how you could possibly manage to remember all those different login/password pairs.
Of course, I keep them all in my head.
Yes, I’m kidding.
RoboForm integrates with my browser (and Windows/Mac) to remember passwords for me (in encrypted form) and will only fill them in for me after entering a master password – so I have one password to remember no matter what, rather than dozens. I’ve used it for some time and it’s a great time saver that helps me use good password management practices.
When you visit a site, RoboForm shows you a button (or drop down, if you have multiple accounts at that site) that will fill in the password for the site – after you enter your master RoboForm password.
You can disable the master password question for some or all logins if you wish so that you’re only asked for the master password on various intervals. Disabling the master password might be OK for your home computer, but I wouldn’t do it in your workplace.
The important thing is not what password management tool you use – but that you protect your login/password pairs and use them wisely – and make sure your staff does the same.