Yahoo yesterday announced that Yahoo mail has been hacked and that at this time it has confirmed a number of users e-mail accounts have been compromised – you may be one of them (and if you are see below for my top tips on how to secure your passwords going forward). It is not clear how many users have been compromised, or exactly how. Yahoo don’t have a history of providing much information but it would be prudent for any Yahoo mail users to take precautions (more on that below). Between the vague statements about malicious code and “a third party was probably to blame” Yahoo has been resetting the credentials of affected users via e-mail and SMS if your mobile is on file, which I suppose is a step in the right direction. Whilst details are scarce at this time this continues a trend of bad security and resilience news for Yahoo who experienced a multitude of issues in 2013.
Don't Miss: Today's Electronics Bargains at Woot.com
More broadly, the last couple of years have seen a significant spike in the theft of passwords (or their hashed or encrypted representations) from online services as cyber criminals moved beyond financial information as their sole form of profit. Whilst we all wait with baited breath (perhaps pointlessly) for further details of the compromise now would be a very good time to upgrade your password. Many providers are very behind the time on password security, but at least you can take steps to minimise the risks. Here are a few tips on how to do it:
- Avoid using the same password across multiple sites and services. That way, if Yahoo credentials are breached hackers won’t be able to jump across in to your Twitter, online banking, work accounts or alike. I know this presents a memory challenge for some users, but see the below tip on password managers.
- Choose a password which is not easy to guess. Words with a dictionary root followed by numerals are very common choices and predictable patterns that cyber criminals can use to crack your password very fast. Passwords should be long, phrase based and involve a balance of different types of characters – numbers, letters, capitols and ideally a few symbols. See my fabulous example below.
- Set up password change/reset mechanisms properly – not obviously. Password reset forms on many services ask questions like “Where did you go to school?” or “In which year were you born?”. These questions are easy to answer and can typically be mined from social media pages or the Internet — why would hackers guess your password if they can just tell a system where you went to school and how old you are (you did after all announce your birthday last year on Twitter and your age, didn’t you?). Instead I suggest lying on the Internet. Come up with a scheme of answers to these questions that you won’t forget (or store securely) or better still, if the service allows, specify your own difficult questions.
- Bigger = better! When passwords are stolen from providers they are typically in a hashed or encrypted form, a bit like this ’5f4dcc3b5aa765d61d8327deb882cf99′. This is a hashed password representation and using clever techniques and computing power attackers can reverse the original password and log in to your account. When they steal these hashes it is only a matter of time and effort until they reveal the original. Short passwords might be guessed in second to minutes or hours (it depends on the implementation), where very long passwords could take years of work (and the cyber criminals are likely to go after someone else). Therefore making your password 60 characters makes life much harder for the cyber criminals if they do manage to break in to a service like Yahoo. This of course all assumes the provider isn’t just storing your password in clear text – in which case you will be very glad of tip number 1!
- Use a password manager. Password managers generate strong unique passwords for each of your services and then store them in an encrypted database which you can unlock with one good master password. It is a reasonable compromise for those that do not have an amazing memory but don’t want to fall in to the pitfall of repeating similar passwords across multiple sites. See below for more information on how this works.
- Register to a breach monitoring service. There are a variety of services on the Internet now which monitor for visible lists of stolen usernames/passwords. Of course, not all breaches are visible so it is far from a complete list. That said, if your username shows up it will e-mail you a notification and tell you it is time to change.
Despite numerous proposals of authentication mechanisms to replace the password it is still the cheapest, easiest to deploy ubiquitous form of authentication used. So we should all take some steps to make sure we are using them properly. A good password manager allows you to generate secure passwords for each of your sites and avoid duplication — luckily you don’t have to type these beastly long passwords out, the tools do that for you. Here is an example of a password recipe for a new password:
You can specify the length of the password (some providers don’t allow unlimited length but arbitrarily restrict you to say 16 characters e.g. Microsoft 365 exchange. Grumble grumble.) and the make up of symbols and numbers. You can even make it pronounceable for a situation where you might have to actually read the password out (though I don’t recommend this for obvious reasons). Each time you click the button you get a nice new secure password which the password manager automatically associates with the website in question so that you can auto log in each time remembering just one secure password you specify. Not all password managers are created equal so it is worth shopping around a little before you commit, but these tools can take the average users password security from poor to really rather good in an afternoon password changing party. Lastly, it is important you keep a back up of the password encrypted database (loosing all your passwords in one place would be painful) and you may want to think twice about putting the keys to your whole life in there – my banking details for example would not be in this application. So why not make something good from another password breach and share these tips with your friends, family and colleagues. I await with baited breath news from a reader that they’ve successfully made all their passwords over 128 characters.
Follow me on Twitter @jameslyne