How the Yahoo password breach could affect you, even if you don’t use Yahoo

Power Of One
Creative Commons License photo credit: Ian Sane

On July 12th 2012, Yahoo confirmed that a large number of passwords originating at its Associated Content site were leaked.

If you ever used Yahoo Voices (formerly known as Associated Content), you should check to see if you were affected, particularly if you have a habit of using the same username/email and password combination on multiple sites.

Even if you never used Yahoo or Associated Content, your customers might have. If you have online systems that your customer access, this might affect your customers and your internal systems, so please read on.

Were you or your customers affected?

To see if your username or email is on the leaked list, visit http://dazzlepod.com/yahoo/ and enter the login you used at Yahoo or Associated Content.

If your login name is on the list of leaked logins, it will be shown at the bottom of the page – without showing your password, of course. If it’s there, you need to change your password and more importantly, you need to change your password on every site that uses that combination of username and password.

Need new passwords?

When I need high-complexity passwords, I use the GRC Password Generator, which randomly generates complex passwords with each visit.

To test the strength of each password you chose to replace the leaked one, you can use GRC’s Password Haystack, which analyzes the complexity of your password vs. the brute force computing time estimated to try enough combinations to find a match.

An interesting sidebar to the Haystacks password complexity analysis is this XKCD passwords cartoon. The XKDC password fares quite well on the haystack test, while remaining easy to memorize.

What about my customers?

If your customers have online accounts that match a login on the leaked Yahoo login list, you should disable them and contact your customers with instructions explaining how to update their passwords.

Feel free to point them at this piece to explain the situation. Doing this before a problem develops is good, proactive customer service to help them protect their accounts (and possibly your business) from fraud.

Lessons your small business can learn from this breach

These lessons apply both to the login/password pairs you use and those your systems might store for your clients.

Strategies that will help keep your small business safer:

  • Don’t use the same password on multiple sites, otherwise one successful effort to get your password means the criminal could gain access to more than one of your online services/accounts.
  • Don’t store passwords in plain text. Hash them. Hashing is, in simple terms, a one-way form of encryption. A password string can be converted to a hash string for storage, but hashing techniques create a hash that cannot be converted back to the password. A staffer with access to the hash can’t use it to access a client’s account. Question is…how’d they get the hash and what else can they get to?
  • Have your IT staff salt your passwords (ie: add a random character to them) before hashing them for storage.
  • Change your passwords frequently. Many of the login/password pairs in this breach were quite old and from inactive Associated Content accounts, yet they still worked on numerous sites, judging from the number of accounts disabled by Google and other vendors.
  • Don’t write the passwords on Post-It Notes and stick them to your monitor in a public place (like your workplace).

Read this Information Week piece for additional discussion on lessons to learn from the Yahoo password breach.

How do I manage all these passwords?

By now, with advice like “change your passwords frequently” and “don’t use the same password for multiple sites” swimming in your head along with the thought of how many different accounts you have, you’re probably wondering how you could possibly manage to remember all those different login/password pairs.

Of course, I keep them all in my head.

Yes, I’m kidding.

I use a password management tool called RoboForm Everywhere (secure download here).

RoboForm integrates with my browser (and Windows/Mac) to remember passwords for me (in encrypted form) and will only fill them in for me after entering a master password – so I have one password to remember no matter what, rather than dozens. I’ve used it for some time and it’s a great time saver that helps me use good password management practices.

When you visit a site, RoboForm shows you a button (or drop down, if you have multiple accounts at that site) that will fill in the password for the site – after you enter your master RoboForm password.

You can disable the master password question for some or all logins if you wish so that you’re only asked for the master password on various intervals. Disabling the master password might be OK for your home computer, but I wouldn’t do it in your workplace.

Other password management solutions include 1Password, KeePass (free, open source) and LastPass. I’ve tried LastPass and didn’t mesh with it, but you might.

The important thing is not what password management tool you use – but that you protect your login/password pairs and use them wisely – and make sure your staff does the same.

 

One thought on “How the Yahoo password breach could affect you, even if you don’t use Yahoo”

  1. I like your first 3 lists of strategies. I like the lat 2 less. Writing down passwords and posting them in your office is lame. And yes you shouldn’t do it. But, this is a far less likely way to run into trouble (compared to others) and doing this at home (while again, not perfect) is even less likely to be an issue.

    Changing frequently is not great advice. Studies show if people have to change frequently they will write them down. There are just too many to remember. If you have passwords like network logins… and force users to change to frequently they will write them down. Change them once a year or so and it might be the right balance.

    The best solution is to do what you suggest and use a password management tool. This lets you generate very complex passwords and you don’t have to remember them. You just need to remember one to get into your tool (and probably a few more for things like signing onto the network…).

    Do not, do not, do not reuse username and passwords anywhere you care about someone getting your password. If you do this, then changing frequently makes sense – but the solution is to not do this, not to change frequently.

    In addition to your advice for business owners
    1) DO NOT LIMIT to some tiny number of characters. Let people put in at least 30 (if they want)
    2) DO NOT LIMIT to numbers and letters

    It is amazing how many financial institutions even limit to just numbers and letters and a very small number of characters like 10. The password cracking has changed from 15 years ago when that might have been acceptable. See the comic mentioned above. Long is now very important, yet many sites don’t allow it.

Comments are closed.