Yahoo lacked policies for password creation

Updated on: 2012-07-13 || Source: zdnet.com
A researcher calls Yahoo’s loss of 400,000 passwords a “total password failure” for lack of policies and storage in plain text. In addition, the hack included accounts from other domains including the U.S. Congress

The password attack on Yahoo not only ensnared hundreds of thousands of users from other domains such as Google, AOL, Comcast, Verizon and the U.S. Congress, but revealed the site lacked common password configuration policies.

Among the 400,000 plus accounts compromised, there were 98 with a single character password of “0,” according to analysis of the data by researchers at Rapid 7, a penetration and vulnerability-testing vendor.

Single character passwords show Yahoo did not have policies in place to force users to build passwords that could be considered strong.

Not that it mattered much. Yahoo was storing the passwords in plain text; no hash, no salt, according to Marcus Carey, a security researcher at Rapid 7. He called the plain-text password storage “an industry no-no. That should be Security 101.”

“It was a total password failure,” he said.

Hundreds of thousands of passwords were paired with email addresses from domains outside of Yahoo domain. The list included gmail.com (106,873 users), hotmail.com (55,148), aol.com (25,521) and comcast.net (8,536). It also included a number of military and government users including domains from the FBI, IRS, the House of Representatives, the Senate and the U.S. Treasury.

While Yahoo announced that the passwords were valid for only 5% of the Yahoo domain users (roughly 7,000 accounts), it did not put numbers on the other domains.

The credential combinations for the non-Yahoo domain users included their email address and a password they created, which could likely have been the password for the email account or one they re-use across sites.

In a Washington Post survey last month, 30% of respondents say they use the same password for different websites, such as banking, social networking and shopping.

Those users may now be vulnerable to attacks on their accounts that are outside of the Yahoo domain.

“Odds are a sizeable percentage are vulnerable because they possibly re-used the same email address and associated password on other accounts, so hackers could use that to log into their gmail or hotmail,” said Carey. “It’s safe to assume that the hackers can get into multiple sites based on these credentials.”

Yahoo instructed those with hacked accounts to change their passwords across all the sites where they might have used the identical password.

“This shows you that when someone is breached it can have far reaching consequences,” said Carey.

Just this week, BestBuy.com provided a real-world example when the company admitted to customers that hackers armed with credentials stolen up to a year ago from another site were attacking Best Buy’s ecommerce site.

“We see in hacks that the hacker you finally catch may be the second or third group that has gotten access to these records,” said Carey. “In those cases, password security is not the root cause of the problem.”

Carey says he doesn’t believe that the number of password hack attacks is up despite recent cases such as LinkedIn, Phandroid and Yahoo.

“I think social media and exposure by other media are raising awareness,” he said.

Here is a list of the Top 10 domains involed in the Yahoo password hack:

  1. 137,559 yahoo.com
  2. 106,873 gmail.com
  3. 55,148 hotmail.com
  4. 25,521 aol.com
  5. 8,536 comcast.net
  6. 6,395 msn.com
  7. 5,193 sbcglobal.net
  8. 4,313 live.com
  9. 3,029 verizon.net
  10. 2,847 bellsouth.net

   Source: Rapid 7

News

Blackphone 2 'privacy' Android handset revamped
Security firm Silent Circle has revamped its smartphone that helps people manage personal data.
Chinese smartphones mount massive web attack
More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web
Hilton investigates hack claims
The Hilton hotel group has said it is investigating claims its US shops and gift stores may be the source of
Twitter website 'blocked' in Turkey
Twitter users in Turkey report that the social media site has been blocked in the country.

SIGN UP FOR NEWSLETTER

Sign up to received our free newsletter!
Name:
E-mail ID:

MOST READ

Views: 5019 Times
Making a Surreal Manipulation in Photoshop READ MORE
Views: 2888 Times
U.S. charges 24 people in massive hacking sting READ MORE
Views: 2702 Times
Oracle to buy software maker Xsigo READ MORE
Views: 5349 Times
7 Things You Didn’t Know VLC Could Do READ MORE
Views: 7266 Times
How To Hack Windows Password READ MORE

Home|IT News|Computer Tips|Video Tutorials|Download Softwares|Subjects|Contact Us
Copyright © 2018. Jumbo Education (Information Technology). All rights reserved.
Free counter and web stats

Large Visitor Globe