Yahoo Sued For Password Breach

twoheadedboy writes "Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online. Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised. The breach at Yahoo followed similar hits on LinkedIn and Nvidia, which together saw millions of passwords leaked."

Guilty of Negligence

[O'Krap]

One could say that reusing a password is negligent....

Re:Guilty of Negligence

But then one would be forced to be a complete idiot who implicitly stated that passwords were a good measure and that people have good enough memories and enough time on their hands to manage one unique strong password for every website they visit.

Luckily one wouldn't say that. (maybe you would though.)

Re:Guilty of Negligence

[icebike]

Its his accounts that are at risk. His choice to take the risk. Not Yahoo's choice. See the difference?

TRWTF

On the other hand, neither service X nor service Y should be storing your passwords in such a way that it is possible to recover the actual password.

Re:TRWTF

[The+Mighty+Buzzard]

On the other hand, a hell of a lot of services limit password length for some insane reason. Given the choice, I never use a password under 30 characters in length but there are sites I use that limit me to as little as eight characters. Nearly any (over 95%) possible password of eight characters or less can be looked up in a rainbow table in less than an hour by a single computer. With distributed rainbow table generation today, counting on hashing functions to be one way is rapidly becoming a thing of the past.

Re:TRWTF

[icebike]

Salted passwords don't matter - you can recover the password. Heck, you can reverse engineer hashing algorithms by just making a bunch of passwords then recovering them.

That would require you not only steal the password hash file but also the software used to create that file, including the salt, etc.

The point in the current case is that the passwords WERE NOT stored encrypted in any form. They were stored in clear text despite every recommendation never to do this on any system. Its inexcusable.

Every Linux distribution since the Pleistocene has defaulted to at least a minimally encrypted password file. Yahoo runs nothing but Linux. They would have had to intentionally bypass Linux security basics and roll their own to end up in such a mess.

They deserve to be sued. Still it will be a hard case to win because there is no law that says they have to be careful or competent.

Image of Trust

[Penurious+Penguin]

Because Yahoo and other similar services pimp the image of being both sophisticated and virtually omnipotent, while offering to manage your affairs, organize your life, provide targeted news headlines and personal suggestions regarding your personal life, and then covertly subpimp your personal data while indifferently and deeply mining your grazing habits -- I think this lawsuit is, compared to others, reasonable, if a lawsuit without grievous injuries or loss can even be so.

Not everyone has a degree in IT. Perhaps instead of guerrilla advertisement, Yahoo (and other similar services) could cough up at least a token effort for their cattle, I mean customers. Maybe they could reserve some extra ad-space to discourage unknowing subjects from having shared passwords. Maybe they could do a lot more in general, and a lot less too, in a good way.

I sympathize with neither side in this case, but can empathize with only one. Altruism, despite modern Goliaths, doesn't always need an ulterior motive. Yahoo preys on the sea of humanity, and a few minnows nip back. Pardon me whilst I desiccate myself with tears.