Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Yahoo confirms theft of 450K unencrypted passwords

Gregg Keizer | July 13, 2012
Yahoo today confirmed that 450,000 unencrypted usernames and passwords were stolen Wednesday from one of its services, although it downplayed the threat.

The Yahoo leak, which followed a much larger one last month that involved approximately 6.5 million encrypted passwords belonging to LinkedIn members, was another black eye for the online industry.

Several security researchers, including Carey, drew comparisons between the two. "Organizations and users still aren't taking security seriously enough," he said, referring to the constant barrage of credential breaches.

Carey, like Yahoo and scores of other security experts, urged Yahoo users to change their email accounts' passwords immediately, then follow that with changes to other site logins that rely on the same email address/username and password combination.

But Carey went further, noting that Yahoo may provide more information on the breach later, which could necessitate a second password reset if the leak has not been totally contained.

"You should still go ahead and change it straight away, but you may have to change it a second time if it turns out the attacks are still entrenched in Yahoo's systems," Carey said.

Carey recommended that people install and use a robust password manager that can create complex passwords automatically, then store them for instant retrieval on multiple devices.

"I use KeePass," said Carey, referring to a free open-source password manager for Windows. He also recommended LastPass for Windows, and said researchers at Rapid7 who worked on Macs relied on KeePass X and 1Password.

A password manager makes it easier to create and manage separate passwords for each website, online service or email account, thus limiting the damage if any one username/password combination leaks.

"There's always the potential of a [leaked] passwords also being used on, perhaps, a PayPal account," Carey said.

But the move toward aggregate credentials that access a slew of services provided by a single company -- like Gmail accounts and passwords being used for all Google's services, including Google Docs -- can make a password manager practice moot or nearly so.

"If someone has one account on one service, it lets them log in everywhere," said Carey, using Google as an example. "A lot of business processes store sensitive information on Docs. And because almost everything is Web-based now, 'in the cloud,' this is a problem that's only going to get worse."

Not surprisingly, Yahoo drew the ire of some experts.

"If what is stated is true, it's utter negligence to store passwords in the clear," said Mark Bower, a data protection expert at Voltage Security, in an email Thursday. "This breach just goes to show that even big companies aren't taking enough steps to protect critical data."

 

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.