Yahoo lacked policies for password creation

Yahoo lacked policies for password creation

Summary: A researcher calls Yahoo’s loss of 400,000 passwords a “total password failure” for lack of policies and storage in plain text. In addition, the hack included accounts from other domains including the U.S. Congress

TOPICS: Security, Privacy

The password attack on Yahoo not only ensnared hundreds of thousands of users from other domains such as Google, AOL, Comcast, Verizon and the U.S. Congress, but revealed the site lacked common password configuration policies.

Among the 400,000 plus accounts compromised, there were 98 with a single character password of “0,” according to analysis of the data by researchers at Rapid 7, a penetration and vulnerability-testing vendor.

Single character passwords show Yahoo did not have policies in place to force users to build passwords that could be considered strong.

Not that it mattered much. Yahoo was storing the passwords in plain text; no hash, no salt, according to Marcus Carey, a security researcher at Rapid 7. He called the plain-text password storage “an industry no-no. That should be Security 101.”

“It was a total password failure,” he said.

Hundreds of thousands of passwords were paired with email addresses from domains outside of Yahoo domain. The list included (106,873 users), (55,148), (25,521) and (8,536). It also included a number of military and government users including domains from the FBI, IRS, the House of Representatives, the Senate and the U.S. Treasury.

While Yahoo announced that the passwords were valid for only 5% of the Yahoo domain users (roughly 7,000 accounts), it did not put numbers on the other domains.

The credential combinations for the non-Yahoo domain users included their email address and a password they created, which could likely have been the password for the email account or one they re-use across sites.

In a Washington Post survey last month, 30% of respondents say they use the same password for different websites, such as banking, social networking and shopping.

Those users may now be vulnerable to attacks on their accounts that are outside of the Yahoo domain.

“Odds are a sizeable percentage are vulnerable because they possibly re-used the same email address and associated password on other accounts, so hackers could use that to log into their gmail or hotmail,” said Carey. “It’s safe to assume that the hackers can get into multiple sites based on these credentials.”

Yahoo instructed those with hacked accounts to change their passwords across all the sites where they might have used the identical password.

“This shows you that when someone is breached it can have far reaching consequences,” said Carey.

Just this week, provided a real-world example when the company admitted to customers that hackers armed with credentials stolen up to a year ago from another site were attacking Best Buy’s ecommerce site.

“We see in hacks that the hacker you finally catch may be the second or third group that has gotten access to these records,” said Carey. “In those cases, password security is not the root cause of the problem.”

Carey says he doesn’t believe that the number of password hack attacks is up despite recent cases such as LinkedIn, Phandroid and Yahoo.

“I think social media and exposure by other media are raising awareness,” he said.

Here is a list of the Top 10 domains involed in the Yahoo password hack:

  1. 137,559
  2. 106,873
  3. 55,148
  4. 25,521
  5. 8,536
  6. 6,395
  7. 5,193
  8. 4,313
  9. 3,029
  10. 2,847

   Source: Rapid 7

See also:

Topics: Security, Privacy


John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where every dinosaur knows your name

    I wonder how much of the absence of policy is due to the age of Yahoo. It was one of the very first popular sites on the web. I doubt people gave much thought to "password policies" back then.

    So we should wonder the same things some of the other 'pioneer' web sites. I don't use hotmail but it was a pioneer. So was Juno, and they're still around. Active Worlds, too.
    Robert Hahn
    • Interesting...

      I've been on line since the late '80s (CompuServe, Prodigy, and AOL when it was the first "Internet Onramp" (you should pardon the expression) and was for the Mac only) and I'm currently the Moderator for two Yahoo Groups.

      I would say that the majority of spam I've seen (and still see) has indeed been from hotmail, juno, and yes, Yahoo. I used to get a lot of spam on AOL, but not so much currently.

      Another place I used to see a lot of spam from were .edu accounts - especially at the beginning of the school year.

      So, yes, I'd have to say that there are still a lot of sites out there that don't educate their users in proper password development.
  • Result of Outsourcing

    to India
  • But I don't

    The reality is I am not too worried. My accounts that really matter are two-step or two-factor protected. I telesign into my account and I have the security knowing I am protected if my password were to be stolen. So if they were to try to use the “stolen” password and don’t have my phone nor are on my computer that I have designated trusted, they would not be able to enter the account. But for you password Nazis I still change my password regularly just to keep you happy.
  • Password policies

    "I doubt people gave much thought to "password policies" back then."

    When I signed up with CompuServe in the mid 80's they gave me a password that contained letters and numbers and required any replacement password to be at least 8 characters long and contain letters and numbers.

    I helped develop a password storage routine for a computer company in 1979. Passwords were used as the key to encrypt a standard phrase using the DES 56 bit algorith. We only stored the encrypted password - nothing was ever stored in plain text.

    Both of these events predated Yahoo. Password protection has been in the computer science literature since the early 70's. These days 56 bit DES is considered weak but there are other, more secure methods being used today. Yahoo may just have chosen to ignore computer industry best pratices in some cases.
    • A long time ago ...

      These passwords were not for normal Yahoo accounts. They were from an acquired company that became Yahoo contributor network. Somebody at Yahoo neglected to delete a file but the original bad password policy existed before Yahoo became involved.