Yahoo lacked policies for password creation

A researcher calls Yahoo’s loss of 400,000 passwords a “total password failure” for lack of policies and storage in plain text. In addition, the hack included accounts from other domains including the U.S. Congress
Written by John Fontana, Contributor

The password attack on Yahoo not only ensnared hundreds of thousands of users from other domains such as Google, AOL, Comcast, Verizon and the U.S. Congress, but revealed the site lacked common password configuration policies.

Among the 400,000 plus accounts compromised, there were 98 with a single character password of “0,” according to analysis of the data by researchers at Rapid 7, a penetration and vulnerability-testing vendor.

Single character passwords show Yahoo did not have policies in place to force users to build passwords that could be considered strong.

Not that it mattered much. Yahoo was storing the passwords in plain text; no hash, no salt, according to Marcus Carey, a security researcher at Rapid 7. He called the plain-text password storage “an industry no-no. That should be Security 101.”

“It was a total password failure,” he said.

Hundreds of thousands of passwords were paired with email addresses from domains outside of Yahoo domain. The list included gmail.com (106,873 users), hotmail.com (55,148), aol.com (25,521) and comcast.net (8,536). It also included a number of military and government users including domains from the FBI, IRS, the House of Representatives, the Senate and the U.S. Treasury.

While Yahoo announced that the passwords were valid for only 5% of the Yahoo domain users (roughly 7,000 accounts), it did not put numbers on the other domains.

The credential combinations for the non-Yahoo domain users included their email address and a password they created, which could likely have been the password for the email account or one they re-use across sites.

In a Washington Post survey last month, 30% of respondents say they use the same password for different websites, such as banking, social networking and shopping.

Those users may now be vulnerable to attacks on their accounts that are outside of the Yahoo domain.

“Odds are a sizeable percentage are vulnerable because they possibly re-used the same email address and associated password on other accounts, so hackers could use that to log into their gmail or hotmail,” said Carey. “It’s safe to assume that the hackers can get into multiple sites based on these credentials.”

Yahoo instructed those with hacked accounts to change their passwords across all the sites where they might have used the identical password.

“This shows you that when someone is breached it can have far reaching consequences,” said Carey.

Just this week, BestBuy.com provided a real-world example when the company admitted to customers that hackers armed with credentials stolen up to a year ago from another site were attacking Best Buy’s ecommerce site.

“We see in hacks that the hacker you finally catch may be the second or third group that has gotten access to these records,” said Carey. “In those cases, password security is not the root cause of the problem.”

Carey says he doesn’t believe that the number of password hack attacks is up despite recent cases such as LinkedIn, Phandroid and Yahoo.

“I think social media and exposure by other media are raising awareness,” he said.

Here is a list of the Top 10 domains involed in the Yahoo password hack:

  1. 137,559 yahoo.com
  2. 106,873 gmail.com
  3. 55,148 hotmail.com
  4. 25,521 aol.com
  5. 8,536 comcast.net
  6. 6,395 msn.com
  7. 5,193 sbcglobal.net
  8. 4,313 live.com
  9. 3,029 verizon.net
  10. 2,847 bellsouth.net

   Source: Rapid 7

See also:

Editorial standards