Protect Yourself: Secure Your Online Passwords
A recent security breach left more than 400,000 Yahoo! passwords exposed to the world. Patch rounds up the facts and offers tips and resources for making online passwords more secure.
If you’re having trouble signing into Yahoo!, Twitter or Amazon, you could be one of hundreds of thousands of victims of a security breach announced this week by Yahoo.
While Yahoo! announced Friday that it had resolved the issue, the company confirmed on Thursday that more than 400,000 usernames and passwords were stolen and posted in an online hacker forum.
The breach may also extend to Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users, according to the New York Times.
The compromised server was likely “Yahoo! Voices,” formerly Associated Content, according to TrustedSec.com.
The hacker group behind the breach is called D33DS Company. The group published 453,491 email addresses and passwords in the forum in plain text.
The group behind the breach added a note to the data dump, which the Times reports has since been taken offline.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers wrote.
But, points out Naked Security blogger Anna Brading, whether or not the hacker group plans to use the information illegally, the data was available for anyone to access.
“There are certainly questions which need to be answered - such as how were the hackers able to gain access to the information, and what measures was the site taking to ensure that even if its databases were breached, the passwords would not be easy to convert into plain text,” Brading wrote.
In a statement released to Tech Crunch, Yahoo said it takes security seriousy and invests heavily in protective measures to ensure the security of its users and their data, adding that less than 5% of the Yahoo! Accounts had valid passwords.
This announcement came just after another social media platform called Formspring announced that it had experienced a similar security breach, which caused the company to disable all 28 million of its passwords.
Keep Your Passwords Safe
A company that developed a script to check the affected passwords said that a large percentage of them were very simple and easy to hack, making them “unsafe.” In fact, CNet reports that the most popular password on the Yahoo! list was 123456—and there were 2,295 instances.
“I’m not saying that complicated passwords can’t be hacked,” wrote a Wired blogger. “I am saying that someone who uses starwars is going to get hacked before someone who uses F1r3F17Ru13s.”
If you think you might be among those with unsafe passwords, check out this list of tips for creating “safe” passwords.
- Use passwords with eight or more characters.
- Try to include upper and lowercase letters in your passwords.
- Also include numbers and symbols such as &, !, #, @, % when possible.
- Use different passwords for each account.
More Resources for Safe Passwords
- Generate random passwords with WolframAlpha
- Use a password manager such as LastPass
- Use Microsoft’s Secure Password Checker
- Tips for Creating Secure Passwords from Productivity 501
- Yahoo! Security Center
Sean Jaen
8:09 am on Monday, July 16, 2012
Don’t you think “tips for creating “safe” passwords” is kind of a moot point? People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! The only real solution is to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. You might want to spent more time encouraging users to opt-in for this since it is available to their users and is called “second sign-in verification”?
Nicole
9:59 am on Monday, July 16, 2012
@Sean, agreed! But at least if you make a safe, unique password for every site, then it stops the bleeding, so to speak, when your account is hacked. Although, when it's something as major as your email, which is usually the key to changing your passwords on every other site, you're pretty screwed.
Also, regarding Lastpass as a suggested password manager. Umm...weren't they hacked twice?!?! Better to use Dashlane, which stores your data on your computer, not their servers. The last thing you need is ALL your passwords hijacked.