Euro Security Watch with Mathew J. Schwartz

Access Management , Identity & Access Management , Next-Generation Technologies & Secure Development

Why Are We So Stupid About Passwords? Yahoo Edition

6 Essential Password and Security Question/Answer Lessons
Why Are We So Stupid About Passwords? Yahoo Edition
Photo: Yahoo (Flickr/CC)

Yahoo users: Change your passwords, as well as your security questions and answers.

See Also: Identity Security Clinic

That's one takeaway from Yahoo's Sept. 22 warning that in late 2014, it experienced a breach that led to the compromise of more than 500 million users' accounts. "The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," according Yahoo's breach notification.

Yahoo blamed the breach on state-sponsored attackers, but security firm InfoArmor dismisses that claim, saying a cybercrime gang was responsible.

Regardless of who hacked Yahoo, here are six password - and security question and answer - takeaways from the breach:

1. Treat Security Questions Like Passwords

The fact that Yahoo hashed its passwords - especially with bcrypt - is good news. But the breach also revealed that Yahoo was storing some users' security questions and answers in plaintext, thus putting them at risk, because an attacker could have reused them.

"Many sites use similar [security] questions and it would be simple to reset a user's password on a different site," says Johannes Ullrich, dean of research for the SANS Technology Institute, in a recent SANS newsletter.

That's why all sites that store password questions and answers must appropriately secure them. "Password-reset questions should be treated like passwords, even if your site does not use them to directly reset the password but instead uses them just to rate-limit password reset requests," he says.

2. Let Users Pose Questions

Sites that use security questions and answers should also allow users to set their own questions to make it tougher for attackers to guess the answers, says Sean Sullivan, a security adviser at Finnish security firm F-Secure.

Sullivan lauds Yahoo for allowing users to pick their own security questions, even if it didn't previously encrypt all of the questions or answers. And he criticizes some other big sites, such as, that only allow users to select from a short list of preset questions to answer.

3. Embrace Two-Factor Authentication

Two-step authentication can help to safeguard accounts even if passwords or security-reset questions and answers go missing. Yahoo account key, for example, allows users to enter their username when logging in, receive a one-time code from Yahoo on their phone, then use it to log on.

Unfortunately, Yahoo hasn't been promoting the feature, according to information security expert and management consultant William Hugh Murray, who says users should avail themselves of these types of strong authentication options.

4. Never Reuse Passwords

For users, the Yahoo breach is a reminder to never reuse passwords across sites, because attackers can use data dumped in one breach to then access any other site where the same username - or email - and password combination has been registered (see Why Are We So Stupid About Passwords?).

For example, the supposedly hacked account of a White House staffer that led to the release of scans of Michele Obama's passport could have been enabled by the 2013 breach of Adobe.

The scan of the First Lady's passport was uploaded the "hacktivist" website, after having been stolen from the Gmail account of White House contractor Ian Mellul, who does advance work for her as well as Vice President Joe Biden, NBC News reports.

Images from First Lady Michelle Obama's passport may have been obtained from a White House staffer reusing his password across multiple sites.

A search of beach-notification site Have I Been Pwned? reveals that Mellul's email address was also affected by the 2013 breach of Adobe, Ars Technica reports, as was an account used by Navy Captain Carl Pistole, whose emails were also uploaded to In other words, it's possible attackers obtained Mellul's Adobe password and reused it to log into his Gmail account.

5. Make Password Management a Priority

Uniqueness is key, and that makes using dedicated password management software, a.k.a. a password safe, essential, says F-Secure's Sullivan. "I'd rather people use medium-strength passwords and be completely unique, than focusing on long and strong, and repeated use," he tells me. "Now if you can do long and strong and unique, that's a win-win, and that's better, but you'll need a password safe to keep it complex and unique."

While this might sound like heresy, Sullivan says it's OK to write passwords down, in some cases. "If you do most of your computing from a desktop at home, write it down," he says. Secure that document that you write stuff down on in a secure physical place. Your goal is to keep internet hackers from getting to your passwords, so if you've got a secure home, secure your passwords that way. But make them unique."

When it comes to passwords safes, there's no other technology - or mental trick - that can reliably generate and store long, unique passwords. My cross-platform password vault software, for example, currently has 549 entries, ranging from e-commerce and hotel website credentials to credit card details and bank account information. One of my colleague's password safes, meanwhile, sports 577 logins.

In 2014, researchers warned that vulnerabilities in some password safes left them susceptible to attackers. But many security experts say the benefits far outweigh the risks. "I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords," security expert Bruce Schneier, CTO of IBM's Resilient Systems, said in a blog post.

6. Know When It's OK to 'Lie'

The need to be unique also applies to security questions; don't answer them consistently across sites. As former presidential candidate Mitt Romney learned to his peril, it's easy for an attacker to find your "favorite pet's" name.

A much better security approach is to lie, so to speak, by giving Fido's "name" as a unique, 16-character sequence of letters, numbers and special characters - just like a password.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.