Yahoo Mail Resets Account Passwords After Attack

MAXOMENOS writes: "Last night Yahoo! announced via their Tumblr page that they had detected attacks against some Yahoo Mail accounts. They reset the passwords to all affected accounts, and advised users of good password practices. Quoting: 'Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails.'"

The real news

The real news is that apparently, Yahoo Mail still exists.

Re:The real news

[Thanshin]

I wonder how desperate for attention one must be to confess a security breach just to be in some news.

Re:The real news

[CubicleZombie]

I've been using Yahoo mail since almost the beginning and still do.

I changed my password as soon as I heard about this. Or, I tried to. Yahoo makes it so difficult to change your password that I actually had to go to Google and search for "How do I change my Yahoo password". Then once I figured out where to go (none of the links worked - I had to paste it from an answers.yahoo.com reply), the AJAXified page wouldn't work in Firefox on Linux, so I had to fire up my work PC and use IE.

Unbelievable.

While I was there, I deleted an old yahoo personals alias (also didn't work in Firefox - had to use IE), and then changed my backup email. But that didn't work either - the link in the confirmation email went to an error page.

Re: The real news

Thank you!! I should have realised I was using the wrong browser. I guess I got fed up with all the error messages that wasn't my fault.

Re:The real news

Odd, I did the same thing last night with Firefox on Linux. Was easy to find link, was easy to change, had no issues at all.

I keep reading about how horrible Yahoo mail is, but I never seem to have the issues everyone else does. Their spam filter is also nearly 100% perfect for me as well.

Re: The real news

No self respecting spammer will spam a Yahoo account. That's as low as tipping a wheelchair.

Re:The real news

[Daniel+Hoffmann]

Yahoo mail was once the equivalent to gmail. It had very good UI, speed and storage for its day. All of this when many ISPs still charged for an email account. It is not surprising that many people still hold on to their yahoo mail accounts.

Re:The real news

[GIL_Dude]

I actually got a text message the other day (purporting to be Yahoo - turns out it was them) saying that unusual activity had been seen on my account and they had disabled it until I went to the site on a PC. (I hardly ever use it - so this was a surprise - it is just a catch all for crap sites I may have to sign up for to keep them out of my "real" email). Anyway, I have two factor auth turned on (for Google, MS, and Yahoo) so I was surprised to see this. I guess they used the right password, but couldn't pass the two factor test. Just signing on to my account sent me to a special page saying there was unusual activity and having me input my password and a new password (once only; no "type it twice" thing). The new password had to meet some criteria and their regex or whatever they were using is broken beyond belief. It says it must be between 8 and 32 characters, have upper and lower case, and numbers. However, my old password met most of this already and was 8 chars (it was only missing the upper case character). Adding a "Y" to the end did not pass - because apparently that is not an upper case character. Neither is any other upper case character. It looks like they need all of the character types in the first 8 positions in order to accept it. Very poor coding and design on that page. I finally just had KeePass generate a random PW for me and used that.

I think this is a "score one for two factor" moment - but the poor implementation of the "fix" on Yahoo's part was a turn off.

Re:The real news

[chispito]

It has better spam filtering than gmail, and ten years ago, when I started using it, way better than hotmail. Also, it was a great place to play chess.

Re:The real news

That may be, but it has been 10+ years since I last received an email from a Yahoo account.

Re:The real news

[WuphonsReach]

The big advantage Yahoo! Mail had back around 2000-2005 was the large mailbox size, a larger limit on attachment size, etc.

This was back when ISPs only gave you a 2-10MB mailbox and limited attachment sizes to as little as 1MB.

Then GMail hit with their 1GB mailbox, all the other free webmail providers had to up their limits.

Re:The real news

[Cro+Magnon]

Really? Last time I used it, admittedly a long time ago, about half my mail was spam. Sadly, that was still better than my ISP mail.

Re: The real news

[TheCRAIGGERS]

I think it has more to do with the fact there's little point in spamming what most people use as their spam email account.

I only check mine when some forum or whatever refuses to allow me to login until I confirm an email address.

Re:The real news

Really?! That's pathetic.

Re:The real news

Hey, Marissa don't brag. We all know you like to change stuff ( logos and flashy nothings). But don't touch the old functionality. Like sorting by sender. Is not working anymore since you require javascript to "enhance" user experience.
I have the account since 1995. And is start to stink now.
Sincerely disappointed old user (old but not stupid ).

Re:The real news

[Anachragnome]

"I wonder how desperate for attention one must be to confess a security breach just to be in some news."

Do you really think that was the goal? Advertising a security breach? It isn't really anything novel these days--everyone is doing it. We've become bored with the very idea.

More than likely, they are simply trying to determine who is using which account. They release this sort of announcement to get users to simply interact in any way, be that changing your password or even trying to do so. This way, they can tell which accounts are active, and by whom. A complete data refresh keeps the data valuable.

Re:The real news

[Darinbob]

It is the primary mail service for AT&T.

Re:The real news

[rueger]

YMMV, but I had no problem with a Chrome/Mint Linux combo. Admittedly it took some rather irritating hunting (and multiple log-ins) to get to where I could change the password, but the actual change was no more or less easy than any other site.

And once again I was reminded that the only reason that I have a Yahoo e-mail/profile/thingy is because there is one, countem' ONE Yahoo group that I use. The actual e-mail account has nothing in it, not even random spam, after three or four months between log-ins.

I was thankful for the Yahoo Portal/ News page, because it got me all up to date on the latest Justin Bieber developments....

Re:The real news

[edjs]

Also, Yahoo acquired a number of email list service providers many years ago; the only reason I still have an account there.

Re:The real news

[thunderclap]

No the real news is that Yahoo still exists separately from Google. I would have figured the Marissa Mayer, being the former resident Queen Bee, (literally, Illinois Institute of Technology granted Mayer an honoris causa doctorate degree in recognition of her work in the field of search in 2009 [and she was Vice President of Local, Maps, and Location Services and, before that, vice president of search products and user experience as well as the highest ranking female there.]) would have taken the job of CEO to prep Yahoo for its consumption into Google. It wasn't ever a search engine anyway. It was a directory.

Re:The real news

Yahoo mail was once the equivalent to gmail. It had very good UI, speed and storage for its day. All of this when many ISPs still charged for an email account. It is not surprising that many people still hold on to their yahoo mail accounts.

Best part about the UI was that (in the pre-AJAX days) a single click on "delete" could automatically take you to the next message. No mouse movement required, just put the cursor in the same place and "delete/delete/delete" your way through the inbox.

Then the AJAX shit came, and then the second generation of AJAX came, and then they fucked up the UI to make it even worse after Marissa was hired, and since then I've migrated elsewhere. Sigh.

WTF

[LookIntoTheFuture]

Why in the fuck weren't the passwords hashed or something? Why did a third party need the passwords? Grr

Re:WTF

[Albanach]

Hashing passwords is pretty pointless unless they're also salted. Otherwise all the common and short passwords are as good as being in plain text.

As for why a 3rd party had the passwords, I think Yahoo need to be quite a bit more forthcoming and explain this. Surely they are aware that their customers are going to be reusing passwords and that, by giving a third party these passwords they are also exposing their customer's accounts on numerous other sites?

Re:WTF

Places like Facebook and LinkedIn ask for email passwords under the guise of "spreading the word!"

Obviously these 3rd parties sell the information (just like the website & service providers that got them in the first place) .

Re:WTF

Its likely those people reused passwords between sites. Not every small web startup is focused on security, this is why you should avoid reusing password/email combinations.

Re:WTF

[cdrudge]

Maybe they were. As the Target security breach demonstrated, if you can intercept the information prior to it being hashed/encrypted, it's still usable.

For an example, say a website's authentication process code is compromised. It works exactly the same as it always has been, but prior to hashing the supplied password to compare to the saved salted & hashed value (exactly the way it should be), an extra function call is made that saves the username and password to some data store (text file, remote database, emailed, whatever). While the website is still at fault as their code was compromised, it wasn't that the password database wasn't properly protected. They just used a different vector to get the information.

Or, and probably much more likely, it was what you say. It was some crappy security on a website that saves that information in plain text...probably even in world accessible text file.

Re:WTF

Incompatible hashes are incompatible; plaintext is universally interoperable. Sadly, on occasion I've had to resort to plaintext password transmission myself for this very reason, thankfully only on local networks.

Re:WTF

[sl4shd0rk]

As for why a 3rd party had the passwords, I think Yahoo need to be quite a bit more forthcoming and explain this.

Quite feasible that yahoo had nothing to do with it:
Jimbob creates account on somecrackablesite.com using jimbob@yahoo.com email address. somecrackablesite.com gets cracked and attacker gets DB dump which contains username/email/pass for jimbob. Attacker assumes jimbob used same password for both sites and gains access to yahoo account. This is why using the same password for multiple sites is a big no-no.

Re:WTF

[jones_supa]

This is why using the same password for multiple sites is a big no-no.

And flipping that around a bit, it is also a security risk as so many sites allow a password reminder through e-mail. If someone cracks only your e-mail, he can just send these reminder requests around the web and get access to various sites.

Re:WTF

[Albanach]

Quite feasible that yahoo had nothing to do with it:

It's feasible, but Yahoo are taking a hammering on this.

If they believe the data was obtained via a 3rd party and they know they don't share passwords hashed or otherwise with 3rd parties, I would have expected them to be shouting that from the rooftops.

Re:WTF

That's why your e-mail should be one of your most closely guarded accounts, together with banking accounts and alike. Did y'all turn on 2 factor auth yet?

Obliquely related, some e-mail providers let you freely use aliases like somemail+slashdot@gmail.com and somemail+dotslash@gmail.com for somemail@gmail.com - sites that ask for e-mail in password reset form will just tell you "No such account" if you have it set to "somemail+thissite@..." but ask for "somemail@...". As a bonus, you'll instantly know there was a leak when a spam letter comes to somemail+hackedsite@gmail.com.

Oh, and another one for name+extra@mail - Gravatar won't leak your e-mail as easily as here.

Re:WTF

Wow, this thread is clueless. Where did it say that Yahoo was giving passwords to third parties?

Did you know that many people use the same password for every site they visit?

Do you know what a soft target is?

The most common way for people to get e.g. their MMO accounts hacked is that they will usually be on some kind of game fansite/forum. You hack the forum, you have their password, you steal their game account.

Re:WTF

[hairyfeet]

Well from what I've seen it appears that this is the case, some users have been using the same lame passwords all over the place, with some of them foolish enough to use their yahoo mail AND their Yahoo mail password on some third party website and naturally when the website got boned the spammers starting trying out the passwords, hence the reset.

Anyway that is what I'm seeing at the shop, the customers that don't use the same password at every site aren't seeing any resets, neither have I and I have 3 yahoo accounts, but those that recycle the hell out of passwords are the ones having to do a reset. i really don't see how this can be blamed on yahoo, anymore than one should blame Windows for those morons that fall for the "Install this "codex" to see teh big tittiez!" malware scam.

The moral of the story? You can reset passwords but you just can't fix stupid.

Re:WTF

Define "2 factor auth". As someone who deals with auditing online banking services, way too many people seem to think layered knowledge-based authentication is "multifactor". If you're not adding something hardware-based or biometric, you aren't doing multifactor authentication.

Re:WTF

Isn't a mobile phone (that receives a confirmation code, as common in these schemes) a "something-you-have" factor to complement the "something-you-know" password?

Re:WTF

Because, for example, third party ISPs us Yahoo! as their e-mail provider. I've had a Yahoo e-mail address for over ten years, ever since I moved, and dumped dial up for SBC DSL. SBC used Yahoo to provide e-mail (the webmail page is dual branded for example). When SBC morphed into AT&T, and the DSL turned into U-verse, Yahoo remained the e-mail provider. The main account e-mail user/pwd is the same U-verse user/pwd.

So U-verse is the third party in my case.

Based on the news reports, U-verse / AT&T was not the third part in question who were hacked.

Re:WTF

[jonwil]

I use my mobile phone to access my bank all the time (usually when I am out and about and want to check my account balance and transaction history to see where I am at and whether I can afford the things I want to buy). One of the options my bank offers for extra security is SMS authentication. If the SMS is comming in on the same phone I am using to access the bank, its definatly not 2-factor authentication in any sense of the term.

password will not protect you

advised users of good password practices

Good password practices are pointless if the backend database is compromised. That's like adhering to the five second rule after dropping a donut in a dogpile.

Re:password will not protect you

They're saying you shouldn't make it so your username and password from $third_party_site can log you in to Yahoo Mail.

Re:password will not protect you

So you're saying the five second rule is less adhesive than doggy doo?

Happens at all ISPs

I work for a large ISP and we regularly see our customers' accounts targeted when some other website leaks their user information and it includes email addresses on our network and passwords the attackers can guess will give them access. If we can get hold of the leaked data we can work out which accounts are at risk and either warn the customers or reset their authentication credentials before hand. Standard practice and good to see Yahoo is following it.

Among the funny things ...

[fidget]

... is why suddenly yahoo is making a show of caring.

I have a four-letter yahoo account (not that kind of four-letter word...) from waaaaay back in the day. It was something I maintained for about two decades for plausible deniability... a cut-out.

SCORES of people have tries to hack it. A couple have succeeded, but not since I switched it to a 32-character mixed-case-and-special password. Still, they try at the rate of about 3 a week (that I *see* via attempted password-reset manipulations, 2-factor authentication change attempts, etc).

But ... I have received about 10 emails from folks who wanted to 'own' the email address. And -- I think -- because I didn't acquiesce, I have received hundreds of thousands of spam emails in the intervening time. They've submitted my email to stupid dating sites in French, German, Thai, Spanish, Tamil and most recently Hebrew. Hell, I got 1000+ emails/day from ONE SITE for a few days, about a week ago.

There's been phishing, spear-phishing based on the pseudo-identity hosted there, blind newsletter sign-up. Every kind of crap you can imagine, and several more.

And every step of the way, I reported the infringements, the spamming, the users who have a variant of the name (e.g. foo2525 instead of foo): to the spam-handlers and to the variant-users.

And yahoo has never given a shit. Not once. Period. IMHO, 'cause it was one account-holder. But I've kept it anyway -- since it's a great cut-out. And I'll continue to do so. Yahoo is a joke; has been for many years now. Sometimes... that's its value. It's a great example of what NOT to do, and it's a great revealer of the seedy underbelly of the 'net.

http://demotivators.despair.co...

Re:Among the funny things ...

[DerekLyons]

And yahoo has never given a shit. Not once. Period. IMHO, 'cause it was one account-holder.

And frankly, that's as it should be. If you lucked into an especially desirable account name, it's not Yahoo!'s responsibility to keep people who want to buy it away from you. And reporting people who have a variant? Seriously? Unless it's a trademark or copyright issue, you have precisely zero leg to stand on. Yahoo! isn't responsible for your sense of self entitlement.

Meanwhile, I've had a Yahoo! account for decades now with no problems at all.

Re:Among the funny things ...

[dontbemad]

What is it, asdf@yahoo.com?

Re:Among the funny things ...

[fidget]

RTFMessage. To be clear, I wrote that I reported folks who used a variant to the variant-user. e.g. send email as foo@yahoo.com instead of foo2525@yahoo.com and I get the email reply, I sent it on to foo2525 with a note that they used the wrong email. Of course, the correct email has to be indicated somewhere, or I have no way ...

My mistake was not adding ", respectively" to the sentence.

Glad to see you got your exercise today, jumping to conclusions.

Re:Among the funny things ...

I had an account that was literally stolen, I had a relatively strong PW but someone got in and reset the PW and all the security questions are now in Spanish. Yahoo never lifted a finger or even responded to my email at all. I'm trying again to get some response, and at least now i got an automated response with a ticket number. I still don't think they will resolve the situation satisfactorily, but it's better than having my problem totally ignored.

F-Yahoo at this point.

Re:Among the funny things ...

[fidget]

Close... It's qwer@yaho^H^H^H^HH^H^H^H^H Ha. I'm not so foolish ... what do you mean that crtl-H doesn't delete anymore? ...

Re:Among the funny things ...

[dontbemad]

Bahahaha. I'd mod up if I could.

Re:Among the funny things ...

I had a 4 letters hotmail, it got hijacked pretty fast :(

Last night's spam email was probably the cause

[cjmnews]

A spam email that went to the Inbox stating that Yahoo! was going to close all inactive accounts if you did not click on this link and log in was probably how the attacker got the passwords. The link went to one of those off-shore URLs that we should all avoid.

Phishing is still alive and well.

And there are a lot of gullible people to phish for.

Re:Last night's spam email was probably the cause

[sconeu]

My mom got that one. Fortunately, she called me first BEFORE she did anything about it.

Re:Last night's spam email was probably the cause

Oh.
 
But the one from the bank was true, right?

Re:Last night's spam email was probably the cause

[edjs]

I think that was just the usual background phishing that's always going on.

On the 19th I got a legitimate Yahoo sign-in alert for an account I had forgotten about and not used for the better part of a decade, with the only activity being a "Yahoo! Partner's Application" login. I'm guessing this login was part of this attack.

Re:Knox bitch still G U I L T Y of murder

Ahh, you're from one of those countries which is extremely religious, extremely sexually repressed, where all the men think all women are sluts, women that don't sleep with ugly men at the drop of a hat are called up tight bitches, where the police and prosecutors are grossly incompetent. Let me guess, in your biggest central square when it's packed with people, a woman isn't safe from gang rape without 10 to 20 other women around her at all times, or even with one or two men protecting her? Or are you from the country where all the plaza's are full of illegal aliens spinning and tossing and demonstrating trinkets, and when the police car comes by the all scatter to a nearby street, and when the police car goes away they instantly reappear? The two most awful places in the world to visit, with the exception of some 2000 year old stone buildings from our first great civilizations.

Tumblr?

[Clyde+Machine]

"Yahoo! announced via their Tumblr page"


Really? This is how businesses are delivering their security announcements?

Re:Tumblr?

Yahoo owns Tumblr.

Re:Tumblr?

So if some Gmail accounts were attacked, Google should announce it on Zagat?

Re:Tumblr?

They'll announce it on Google+, for all the dozens of G+ users to see!

All the rest will have to get a G+ account to read it... Or not.

Re:Tumblr?

[thunderclap]

I am curious why it wasn't on their main news page.

Re:Tumblr?

[thunderclap]

Nah they will just announce in the white house press room and the feeding frenzy will begin.

Re:Knox bitch still G U I L T Y of murder

From neither New York nor New Jersey do I hail. Why do think so?

Hey...

I have an account on Yahoo... But... Paraphrasing my teacher... "Big deal. Next week it will be fine."

We all will have what we deserve. Yahoo!

I think other comments are missing the point

It sounds like an external password database was hacked and all the usernames + 'yahoo.com' and the matching passwords were tried against Yahoo Mail.

It doesn't seem like Yahoo could have done anything more about this. It is a case of password reuse, not Yahoo's password storage.

Re:I think other comments are missing the point

[TheloniousToady]

It sounds like an external password database was hacked and all the usernames + 'yahoo.com' and the matching passwords were tried against Yahoo Mail.

It doesn't seem like Yahoo could have done anything more about this. It is a case of password reuse, not Yahoo's password storage.

Right. Evidently it's easier to go for knee-jerk Yahoo bashing than to read TFA. I wonder if the folks who do that also save time and energy by reusing passwords? ;-)

My Soapbox!

I manage mail servers for a mid sized company, and Yahoo can kiss my ass! Their IP ranking system is stupid and they won't change it, which fucks any smaller ISP hosting multiple domains on a single IP. If we have a company get a mailbox compromised from domainx, yahoo blocks all mail from the IP instead of the domain so everyone else is screwed. Even when we lock the account, yahoo has no method of unblocking.

To make things 10 times worse, their mail interface has a big ole "SPAM" button which allows users to delete mail in a single click where their "Delete" button requests confirmation. Users tend to use the SPAM button because it's easier to delete messages, and not obvious that they are actually reporting the person as a spammer to Yahoo who again fucks the ISP by blocking their mail. After years of complaints from companies, if you use FireFox you will see a button that says "Report Spam", but IE still just shows "Spam".

Yahoo of course does not give a shit and won't add a confirmation to that "spam" button to let users know they are reporting a server for "spam" and not simply deleting a message.

And look, I absolutely hate spam. I would not work for a company that sends spam and think they are as useful to society as telemarketers. Yahoo just sucks at doing anything worthy to reduce spam. Their IP ranking system has been broken and complained about since it came out, but since it's cheep for them to use they continue with the broken program and don't care that this harms their user base more than it saves them money trying to fight spam.

Re:My Soapbox!

You sound like a spammer / scammer. Post the affected domains and IP address or shut up. Or put in some decent security and choose your customers better.

RE: My Soapbox!

I used to work for a student loan servicer - who only sent emails for things like account notifications, ACH withdrawal notifications, etc. We'd have to fight our way off of Yahoo blacklists two or three times in the five years I was there. Yahoo's "spam" management is a common problem for admins hosting mail services.

Re:My Soapbox!

[sjames]

You sound like someone who has never run a mail server for more than one person. What is your ingenuous magical cure for someone getting their email password compromised? Sure, change the password. Then there's cases where someone forwards mail from your server to another. Surprise, they get a spam. Don't even mention spam filters, it they're anything less than 100% effective, this problem happens, and none are 100% effective unless they send all mail to /dev/null.

Then you get to deal with the anti-spammers. Some are quite sensible and you can just let them know in a web form that you've solved the problem. Others rapidly time out the blocks once the spam attempts stop.

Then there's the jackasses that attempt to extort money for de-listing. Even a few circle jerks where X lists you because Y lists you because X lists you, etc. Some geniuses insist you send an email from the listed server but then block the message as spam.

If you think it's just weak passwords, you've never looked at a mail server's logs where massive botnets brute force passwords low and slow. They will inevitably get lucky once in a great while. Or, someone gets a drive-by attack from an ad network and their PC starts sending the spam, and on and on.

They still exist?

[koan]

Yahoo mail has always been a one off disposable email to me, and answers.yahoo is just silly, who would post something there when you can just Google it, not to mention virtually every answer that I have seen get "modded up" as best has been incorrect.

Interestingly, using it to sign up for a site recently I noticed they wanted my phone number with a promise to "keep it secure" next to the number space.

Wait Wait...

Some people still *actually* use yahoo for anything including email? Wow... that's just so um early 90's... kind of a fad like AOL.

Re:Wait Wait...

Their sports section is pretty good.

Oh Yahoo...

[korbulon]

You put the "fun" back in dysfunctional. Whenever I think of Yahoo, inevitably this pops into my head "It's the Bumpus Hounds! Ta da da da, da da!"

via Tumblr?

[PNutts]

WTF is that and why did Yahoo think I would see it?

Re:via Tumblr?

As best I can remember from hearing about it in the new, Tumblr was a porn site that Yahoo bought out and removed all the porn.

Are you hallucinating?

[DerekLyons]

To be clear, I wrote that I reported folks who used a variant to the variant-user. e.g. send email as foo@yahoo.com instead of foo2525@yahoo.com and I get the email reply, I sent it on to foo2525 with a note that they used the wrong email.

To be clear, no you didn't write any such thing. You didn't write anything even close to such a thing.

Your mistake isn't that you didn't add "respectively", it's that you're a clueless moron who not only didn't read what he wrote, but for 'reporting them to Yahoo' and believing Yahoo! could do anything about such third parties.

I'm using two-factor ID...

[RealGene]

..since my Yahoo (junk) mail account was hacked a couple of months ago. I am certain it was because I used by Yahoo credentials to post a comment on a popular 'news' website (**cough** Slate).
I changed my PW to a machine-generated chunk of gibberish, and turned on 2-factor ID.

Re:I'm using two-factor ID...

[vinn01]

I think you'll find that the comment section of that news website is run by Disqus.com. It's not the news site that got hacked. Disqus.com got hacked.

Phone Number Requirement for Account

[ossuary]

Even with this breach, I still think their mandatory MOBILE phone number requirement to get a Yahoo account is BS. Just one more data point floating in the revenue stream...

Re:Phone Number Requirement for Account

Have a Yahoo! account. They (and Google) both keep asking from time to time for a mobile number so they can text me for two-factor auth if I needed to do a password reset. But I don't have texting, so I just cancel it out and keep going along.

But then, I've had the account since ~1999; don't know about setting up new accounts...

Re:Phone Number Requirement for Account

[Stan92057]

Yes same here I don't trust yahoo, Google with my phone number somewhere down the line they will change there TOS so they can call us or there 3rd party can call us or god knows what else so no ya cant have my Phone number ever......had my yahoo account for 15 years so far.

weak password yahoo horse shit

[callmetheraven]

Been trying to help a friend get into their yahoo mail all morning, it won't allow access, sends to password reset instead, and no matter how strong I make the password it says it's too weak.

Yahoo will probably issue themselves a "best of the web" award to compensate for the inconvenience.

Such douchebaggery.

why do you think it's hard?

[YesIAmAScript]

When in Yahoo mail, click the gear in the upper right, select "account info" (it's the thing at the bottom), at the next page click "change password".

That's not at all difficult, it's barely different from how you do it on google or anything else.

I used Chrome to do it.

Re:why do you think it's hard?

[nmr_andrew]

Seconded, I changed my short before hopping onto /. today. Took a few seconds, no problems at all. I was surprised there wasn't a second box to confirm the new password in, although you can show it as plaintext.

There's plenty wrong with the new, "improved" Yahoo mail, I'd move to Gmail or something else if it weren't for the fact that 15 years worth of everybody in my life has my Yahoo address, but changing the password isn't problematic.

Re:Knox bitch still G U I L T Y of murder

Alabama?

Yahoo mail is complete shit

I tried logging into yahoo mail about a month ago - My password worked just fine so I should be able to read my mail right? Fuck NO!

Instead I was presented with 2 security questions that I probably filled out 10 years ago with fake data that I have no idea what I put the answers for.

Then yahoo tells me I can have an email sent to my "backup email" which was a fake email, because I figured I'd never need that shit as long as I can login with my correct password right? Wrong?

So apparently with yahoo, A normal functioning password is not enough to access your data. You need 2 security questions now and a backup email.

I thought I'd see who's running Yahoo these days. Turns out, it's some dumb cunt I met in their chatroom's about 5 years ago - Marissa Mayer.

Now I know why she closed them down.

Re:Yahoo mail is complete shit

Instead I was presented with 2 security questions that I probably filled out 10 years ago with fake data that I have no idea what I put the answers for.

Then yahoo tells me I can have an email sent to my "backup email" which was a fake email, because I figured I'd never need that shit as long as I can login with my correct password right? Wrong?

Well, to be fair, it's hardly Yahoo's fault that you're a complete and total fucking dumbass.
I'm all for putting fake info in for the security questions; but it's your own responsibility to then remember that fake information. If you don't, well, tough shit for you.

PBKDF2/RFC2898/PKCS#5, tens of thousands of times.

Don't just hash, salt and hash.
Don't just salt, use a truly random per-username salt.
Don't just do that, use PBKDF2/RFC2898/PKCS#5, bcrypt, or scrypt with tens or hundreds of thousands of iterations.
Don't just do that, actively forbid users from using P@$$w0rd, P@$$w0rd1, and so on and so forth.

Must have been Disqus.com data leak

[vinn01]

I received the Yahoo password notification (cell phone text) for a Yahoo account that I set up only for the purpose of making comments on Disqus sites.

I had to change the password from something simple to something obtuse in order to login. The sent folder is still empty, since I have never sent a single email from that account. Since I have never used that email account for any other site, obviously there are no password reset attempts in the inbox.

There far too many web sites getting hacked. Are the developers simply clueless or are they just out-gunned by hackers?

Disable Adblock to Change Password

[qpqp]

Had to change the password on an old account that I forgot the password to and had to access recently. The trick to get past the 'password not secure enough' error is simply to turn off adblock for that moment. Was driving me nuts, when I was trying 30+ random-char, unmemorizable passwords that would probably satisfy ~95% of all password requirements and still getting that stupid error, until I found the solution.

Re:PBKDF2/RFC2898/PKCS#5, tens of thousands of tim

[reboot246]

I always salt my hash. Tastes better with salt - kinda bland without it.

Re:PBKDF2/RFC2898/PKCS#5, tens of thousands of tim

[thunderclap]

Don't just hash, salt and hash.
Don't just salt, use a truly random per-username salt.
Don't just do that, use PBKDF2/RFC2898/PKCS#5, bcrypt, or scrypt with tens or hundreds of thousands of iterations.
Don't just do that, actively forbid users from using P@$$w0rd, P@$$w0rd1, and so on and so forth.

I disagree.
Don't just do that, actively forbid users from using any password in any language. Require them to use biometric blood dna sampling form a heat detected finger.
Seriously when are we going to stop being forced to remember gibberish so thieves don't steal our stuff?

Re:Knox not guilty of anything FU Italy

[thunderclap]

Italy is Incredibly corrupt and the dead woman's family believes Knows should die. However they don't have the means too get to her. This is why double jeopardy is in the constitution.

Learn English

[fidget]

Amazing. I restrained myself and didn't call out your ignorance, since I tend to use rather complicated sentence construction. You failed to learn when hit with the clue-stick.

So hey, let's play...

The sentence read "I reported the infringements, the spamming, the users who have a variant of the name (e.g. foo2525 instead of foo): to the spam-handlers and to the variant-users." Let's dissect this.

The disingenuous would read this to mean I reported everyone to the spam-handlers *and* the variant-owners. That's totally unhelpful. So, perhaps there is another interpretation, after one is finished with your ad hominem nonsense: It can represent two different actions. Obviously, "variant-users" cannot refer to spammers -- that's just stupid. Then, it quite obviously indicates the resolution path for the variant-owners is *to* the variant-owners. The use of "respectively" would force the reader to cross-correlate the phrases, easing the process.

So, learn some bloody English, you puerile, self-indulgent, narcissistic, entitled moron. When they invent a "does not exceed a 6th grade reading level" tag, I'm sure you'll finally come into your own.