Yahoo Sued For Password Breach 93
twoheadedboy writes "Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online. Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised. The breach at Yahoo followed similar hits on LinkedIn and Nvidia, which together saw millions of passwords leaked."
Guilty of Negligence (Score:5, Insightful)
Re: (Score:3, Insightful)
But then one would be forced to be a complete idiot who implicitly stated that passwords were a good measure and that people have good enough memories and enough time on their hands to manage one unique strong password for every website they visit.
Luckily one wouldn't say that. (maybe you would though.)
Re: (Score:3)
Regardless of whether passwords are a good measure, I do use a unique strong password for every important site I visit - i.e. ones that store personal or financial information. Not so bothered with forum logins and the like where it really doesn't matter all that much if they're compromised.
I only remember one password, though, and that's the one to my password database that's stored locally on my PC. I use KeePass, but there are plenty of other password safe applications.
Re: (Score:2)
I do use a unique strong password for every important site I visit - i.e. ones that store personal or financial information. Not so bothered with forum logins
You might be surprised at what the law considers "personal information". Even an e-mail address, used to notify you of new posts on a forum or to act as a unique key in the user list, is "personal information" under at least one U.S. federal law.
I only remember one password, though, and that's the one to my password database that's stored locally on my PC.
So what do you when you want to check your bank balance from a machine other than your PC?
Re: (Score:1)
So what do you when you want to check your bank balance from a machine other than your PC?
Keep a non-encrypted version of that file in Dropbox, of course! It is password protected, right? ;)
Re: (Score:2)
You might be surprised at what the law considers "personal information". Even an e-mail address, used to notify you of new posts on a forum or to act as a unique key in the user list, is "personal information" under at least one U.S. federal law.
Yes, but what I'm saying is it doesn't really matter if someone steals my generic forum logon password - all they'll get is my throwaway email account to spam and the ability to post on sites like this as me.
So what do you when you want to check your bank balance from a machine other than your PC?
My bank supplies a (physical) code generator that takes a pin number and generates a number. I don't carry that with me either, so I can't get access to my bank account when I'm out anyway.
Having said that, I was simplifying. I do keep a copy of the password file on my phone. It's encrypted, and there'
Re: (Score:2)
But then one would be forced to be a complete idiot who implicitly stated that passwords were a good measure and that people have good enough memories and enough time on their hands to manage one unique strong password for every website they visit.
Luckily one wouldn't say that. (maybe you would though.)
Take one good password (say 12-15 characters)
Then prepend with a unique 4 or 5 character which you keep written down in a file on your computer
Each password then ends up being 16-20 characters long, however even if someone broke the hash (or some stupid site stored it in plain text -- like the one of the UK 2012 party conference accreditations), it would still be very hard to cross-contaminate the passwords.
Re: (Score:2)
Better, but still not very good. At best, a cracker needs to corellate your passwords from two leaks, to see which part is the variable part. Or perhaps he can figure it out looking at just a single instance, if the variable bit is obvious enough.
It's better to use a password manager, and two factor authentication where it is offered, such as gmail.
For that matter, I store many passwords in gmail. If someone has gained control of that account, they can use password resets to gain access to those sites anywa
Re: (Score:2)
Or you could do something silly, like NOT USING THE SAME USER ID IN MULTIPLE LOCATIONS.
For me, if it relates to money or control of a system, it has a unique user ID, password, and even email address. Break into Yahoo, and you might get my Yahoo account info, but you can't use it to figure out my eBay account information. Break into eBay, and you still don't have what you need to find my PayPal account.
But people trust internet too much.
Re: (Score:2)
Re: (Score:2)
Better, but still not very good. At best, a cracker needs to corellate your passwords from two leaks, to see which part is the variable part. Or perhaps he can figure it out looking at just a single instance, if the variable bit is obvious enough.
It's better to use a password manager, and two factor authentication where it is offered, such as gmail.
For that matter, I store many passwords in gmail. If someone has gained control of that account, they can use password resets to gain access to those sites anyway, so there's no additional risk in storing them there.
If a cracker is really after me specifically, I'm probably screwed regardless. Devil take the hindmost.
Re: (Score:1)
I was just about to post the same thing. This guy should be suing himself. Now that's a trial I'd follow.
Re:Guilty of Negligence (Score:4, Informative)
Its his accounts that are at risk. His choice to take the risk. Not Yahoo's choice. See the difference?
Re: (Score:2)
In Florida Bank of America has sued itself multiple times.
Re: (Score:2)
Wells Fargo had to sue itself, actually.
http://yro.slashdot.org/story/09/07/13/1727218/wells-fargo-bank-sues-itself [slashdot.org]
It was quite enjoyable to follow. The backtracking and confusion was so hilarious.
Re: (Score:1)
It's beyond negligence. If you reuse the same password for service X and Y, then you're implicitly trusting the owners of service X not to compromise your account at service Y. Therefore, you either (a) give the same password to anyone who puts a form on the web and asks for your password; this means you do not care who gets your password -- in other words, you admit it's your own fault or (b) you admit to discriminating between websites and using different passwords based on level of trust; therefore you a
TRWTF (Score:5, Insightful)
On the other hand, neither service X nor service Y should be storing your passwords in such a way that it is possible to recover the actual password.
Re: (Score:2)
Yea, because taking 10 million years to recover the password totally works.
Re:TRWTF (Score:4, Interesting)
Re: (Score:3)
What's really fun are those services that let you enter a 30 character password, then silently truncate it to 8 characters.
Also thrilling when a service is able to tell you what your forgotten password is.
Then there was the login web page that would let you start typing in your credentials before it was finished loading, then move the cursor back to the username input box when it finished loading. I recall Yahoo's webmail did that for a while. Actually, it was a combination of bad design on both the w
Re: (Score:2)
Re: (Score:2)
This is my face when sites insist on using a hash instead of AES-256 or better for encrypting/securing passwords.
My face, look at it. [imgur.com]
Re: (Score:2)
Things like keepass make it very easy to use unique 30-character strong passwords for every site or service.
Of course, if someone gets your database you're in trouble. Better make sure you invested in a superbly strong passphrase on that thing (which you should be able to, no longer having to remember other passwords)
Re: (Score:2)
Rainbow tables won't help if the salt was properly implemented. Rainbow tables can only cover one salt per table, and normally each user has their own salt value. So you would need one table per user, making them pointless.
What does usually work against large salted hash leaks is a dictionary attack. On average you can crack maybe 50% of passwords in a few hours with a GPU and suitable dictionary. Password length is not that important beyond maybe five characters, avoiding words (or common variations of wor
Re: (Score:2)
Re: (Score:2)
Because nobody has ever thought about properly seeding hashes...
Banks (Score:1)
Sadly, banks are often the worst for this.
8 character limit, alphanumeric only. No special characters. No spaces.
Maybe this is to tie into some archaic infrastructure, but whatever the reason it seems those that should prefer the strongest passwords instead often require the weakest.
Re:TRWTF (Score:5, Informative)
Salted passwords don't matter - you can recover the password. Heck, you can reverse engineer hashing algorithms by just making a bunch of passwords then recovering them.
That would require you not only steal the password hash file but also the software used to create that file, including the salt, etc.
The point in the current case is that the passwords WERE NOT stored encrypted in any form. They were stored in clear text despite every recommendation never to do this on any system. Its inexcusable.
Every Linux distribution since the Pleistocene has defaulted to at least a minimally encrypted password file. Yahoo runs nothing but Linux [netcraft.com]. They would have had to intentionally bypass Linux security basics and roll their own to end up in such a mess.
They deserve to be sued. Still it will be a hard case to win because there is no law that says they have to be careful or competent.
Re: (Score:2)
Uh, no. I don't think it's common practice to give each person who signs up an actual system account at the server, so Yahoo do not get the benefit of the shadow password scheme in Linux (to the degree that it's a benefit at all, there's a reason we use SSH authentication these days).
Re: (Score:2)
The shadow password scheme there, tested, maintained, and general purpose in nature. You can use it for any purpose. It's not just for system accounts.
Ssh identification is over kill for your average forum login. While it might be useful for mail systems, it's not common to use it for such, even in the Unix would.
Re: (Score:3)
Salted passwords don't matter - you can recover the password. Heck, you can reverse engineer hashing algorithms by just making a bunch of passwords then recovering them.
That would require you not only steal the password hash file but also the software used to create that file, including the salt, etc.
No. The context of this subthread was that using the same password on two separate systems would give the owners of one of the systems access to the other. Presumably, they won't need to "steal" anything, as they already control both the relevant data and software.
Yahoo runs nothing but Linux [netcraft.com]
If the only boxes they have are forward pointing webservers, then this link is relevant. That is obviously not the case.
They would have had to intentionally bypass Linux security basics and roll their own to end up in such a mess.
Intentionally bypass? Please. Of course you don't create operating system level users for users in your web app. They are way t
Re: (Score:2)
"Still it will be a hard case to win because there is no law that says they have to be careful or competent."
Negligence is easy enough to prove just by logic. In this day and age of technology, it's ABSOLUTELY inexcusable to bypass TYPICAL security measures, given what Yahoo runs and how it works by default (ie before Yahoo tinkering.)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
It would take 631 thousand years to crack just one of my passwords - and considering you may need to crack at least one other before you got to that one, I would say, go ahead and try - I'll wait...........
Or you could crack the password via social engineering, by doing something like setting up a website that asks people to enter their password and indicates how long it would take to crack that password .... Sometimes the weak link in the chain is technological, sometimes it is sociological.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
"It is always possible to recover a password."
This is not true. If a password has more entropy than the hash being used, there will be collisions that make it impossible to tell what the original password is.
This is a basic consequence of the fact that hash functions are irreversible and have fixed size. If you consider the space of all passwords of any length, there are infinitely many passwords (even if you limit passwords to those made of long strings of english words) that hash to a particular value.
F
Re: (Score:2)
You do if you want to access other website in which the user may have used the same password, because the wrong password won't hash to the right value when the salt is different.
Re: (Score:2)
"If a password has more entropy than the hash being used, there will be collisions that make it impossible to tell what the original password is."
Entropy doesn't mean shit if by random chance you get it cracked on the first few tries.
Always account for a margin of uncertainty, and for a margin of certainty.
If you can find out how long the PW is, you've just won half the battle and Entropy in theory might not be an issue.
Re: (Score:2)
You didn't understand parent's post.
What parent said is that if the password has more entropy than the has, you can't know if you "cracked" it or not, because there's more than one password that results in the same hash.
Re: (Score:3)
It is *always possible to recover* a password.
No, it is not. You need go back to Cryptography 101.
A properly seeded hash using a proper cryptographic one-way hash function is impossible to revert using todays and any technology within the forseable future. It's not a matter of raising CPU powers by a few orders of magnitude, but by a couple billion orders of magnitude.
Heck, you can reverse engineer hashing algorithms by just making a bunch of passwords then recovering them.
The proper term is rainbow tables, and they don't work for good salts because you need one table per possible salt value, meaning with 2 bytes you need 65k rainbow tables. If that frighte
Re: (Score:2)
"No, it is not. You need go back to Cryptography 101."
Man can make it, man can break it.
You assume humans are infallible. BIG mistake.
Re: (Score:3)
You really need to go back to some basics.
The strength of good cryptography lies exactly in that not one but many men, and not just any but the top experts in the field have been trying to break it - and have failed. A crypto algorithm is considered strong exactly if there are no known attacks against it that are significantly faster than brute-force, despite said experts looking for one. All the major ciphers in use today have withstood at least one, usually several decades of attempts to break them.
Is it
Re: (Score:2)
> No, it is not. You need go back to Cryptography 101.
> A properly seeded hash using a proper cryptographic one-way hash function is impossible to revert using todays and any technology within the forseable future. It's not a matter of raising CPU powers by a few orders of magnitude, but by a couple billion orders of magnitude.
You need to go back to Mathematics 101. These functions have a brute force work factor of between about 2^160 and 2^512, o
Re: (Score:2)
Yes, he screwed up, but so did Yahoo.
This is why we have the concept of contributory negligence. If he and Yahoo are found to have contributed equally he will only get half his damages.
Re: (Score:2)
Not happening. No excuse for Yahoo to store shit as plaintext.
This lies squarely on Yahoo in today's world of technology. The common man cannot be expected to understand how Yahoo stores and protects passwords, even with a full explanation.
Re: (Score:2)
Re: (Score:2)
Yes, it is, but once the password leaked from Yahoo, its account would have been pwned nevertheless:
Step 1 - go to Ebay
Step 2 - click on "recover password"
Step 3 - log into his @yahoo.com e-mail with the leaked password
Step 4 - reset password
Step 5 - ??? Profit (how appropriate)
The e-mail password serves as a sort of "master password" nowadays --- once it gets public, all your other passwords can be compromised.
Re: (Score:2)
Banks and othe high risk sites have two factor. You have to call or have a txt sent with one time pass code to your phone. Can't change the phone number without logging in.
Re: (Score:2)
What world do you live in? 1975?
The average computer user these days has how many different logins to how many different services, websites, etc. etc.? I'd guess that 20 is on the low end, and 100 not entirely uncommon.
So, Einstein, pick one: Re-using passwords or writing them down somewhere (or storing them somewhere, like a password manager). It's one or the other, because you can not seriously expect people to remember several dozen different passwords. All of which, of course, are not meaningful words b
You forget one big thing. (Score:2)
Liability (Score:2, Insightful)
Re: (Score:2)
What's regrettable about it if it works?
Re: (Score:1)
I hope Yahoo loses. (Score:1)
I'd LOVE to see companies start getting sued for this kind of stuff. It's really getting out of hand with how negligent companies are. If the government isn't going to do the job I say we can do the job ourselves via lawsuits. They start losing enough money they'll start thinking about not screwing up like this.
Granted, the logic of them being sued is kind of BS. Everyone knows better than to use the same password at multiple locations because of the possibility of this exact outcome, but I still hope Y
Re: (Score:2)
Majority of my family uses the same password for all their accounts
Here's a simple solution to keep people from reusing passwords: Establish a common database of strongly encrypted (SHA512 or better) passwords. Anyone who runs a legitimate website could register to use it. When someone creates an account on Yahoo using the password "correct horse battery staple", then Yahoo would hash that password, check it against the database, and let them know that someone somewhere has already used that password, so they have to pick another.
I don't think the database would be of m
Re: (Score:2)
No, this is a terrible idea.
Letting crackers know whether someone has used a password lets them try to guess passwords all at once, instead of one user at a time. Once they've harvested a few passwords, the problem of matching them up with usernames is trivial. Grab usernames from email archives and the like, then brute force it from there. It does not take long to go through a few million usernames. The service can't even stop this with the bad idea of locking an account after 3 failed attempts since
Re: (Score:2)
Such databases are plentiful already (google reverse hash lookup), and believe it or not: The knowledge that the password "hunter2" has been used as on one of Yahoo's two million accounts, is neither news to a cracker nor particularly useful.
Re: (Score:2)
Salts, which are mandatory for good password storage, torpedo your idea. Sorry. Passwords stored without salts are vulnerable to rainbow table attacks.
Re: (Score:2)
The problem is that 'everyone' in that sentence is only referring to those who are tech savvy. Majority of my family uses the same password for all their accounts (I know this from being in-house tech for everyone).
Its not that big if a deal.
There are several sites I read and very rarely post on, where my password is the same nonsense characters simply to save brain cells.
Anyplace that matters gets a unique password. None of these reuse an email account password. But there are many trivial accounts where I use the same password
Since I log in with different names on many of these sites there is no real easy way to match names to any other account.
But the main point here is that its the users choice and the users accou
Re: (Score:2)
"If the government isn't going to do the job I say we can do the job ourselves via lawsuits."
The irony of this statement......
Guess who handles the lawsuits?
Yup, the government.
Whats this in terms of weeks and quality gpu's? (Score:1)
Weeks with 10 top brand gpus ie small system?
Weeks with many many networked "10 top gpus" systems?
Or the classic inside out decryption ie one person with a laptop and hacking skills?
Image of Trust (Score:5, Insightful)
Not everyone has a degree in IT. Perhaps instead of guerrilla advertisement, Yahoo (and other similar services) could cough up at least a token effort for their cattle, I mean customers. Maybe they could reserve some extra ad-space to discourage unknowing subjects from having shared passwords. Maybe they could do a lot more in general, and a lot less too, in a good way.
I sympathize with neither side in this case, but can empathize with only one. Altruism, despite modern Goliaths, doesn't always need an ulterior motive. Yahoo preys on the sea of humanity, and a few minnows nip back. Pardon me whilst I desiccate myself with tears.
I'm just a simple caveman... (Score:2)
Re: (Score:1)
same password isn't the only problem... (Score:2)
https://xkcd.com/936/ [xkcd.com]
The company is most culpable (Score:1)
Yeah yeah yeah, you can all say the user is stupid for using the same password on multiple sites. /careface
Yahoo still lost 400000 passwords and coming from a corp that not on. End of storey. The way many big companies handle user data is complete bs and there's no arguing that.
I wouldn't blame the man. (Score:1)
Software engineers should take some responsibility (Score:1)
If a company built a bridge and it collapsed, that company would be likely to face lawsuit and fine. Engineers take safety and security seriously, so should software engineer.
Negligence (Score:2)
Using the same password for multiple accounts is a negligent user behavior, though I'd say that storing hundreds of thousands of passwords in clear text wins as being vastly more irresponsible.
he'd win if I were deciding the case (Score:1)
But he'd only win for damaged caused by misuse of HIS YAHOO account and of accounts access through HIS YAHOO login, such as newspaper-comment accounts that allow Yahoo-account-based logins.
But as for his eBay account, sorry, unless the bad guys used his Yahoo account to do a password-reset or password-retreival of his eBay account, that's on him.
bike & briefcase lock analogy time (Score:2)
...after his eBay account, which used the same password as his Voices account, was compromised.
Analogy: Jeff Alan from New Hampshire decides to use the same numerical combination on both his briefcase and his bike lock. A thief watches Jeff pedal up to a cafe, lock his bike, and grab a table. The thief easily shoulder surfs the briefcase lock combination. On a hunch, the thief walks outside and tries the same combination on the Jeff's bike lock. It works, and the thief makes off with Jeff's bike. Jeff Alan from New Hampshire then sues the briefcase company for negligence, and demands that they repla
I saw these accounts used to distribute malware (Score:1)
We all need to do better with passwords from storing them to using them more than once. I'd like a SSO-like two factor authentication where each person can pick both parties. That would get more players out of the password storing game, but we would be centralizing our risk. And not everyone can afford a randomized idea like SecurID on on