OT Yahoo breach

It says you should change your password if you have not done so since 2014. How can I tell when my password was last changed? I don't keep a record of that.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 10:34 AM, Taxed and Spent wrote:

How difficult is it change passwords? I routinely change mine every six months or so. Just change it and move on.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sun, 25 Sep 2016 11:14:00 -0500, Unquestionably Confused

The problem might be, if you do not know your password (it is stored on the PC) you can't change it.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 11:47 AM, snipped-for-privacy@aol.com wrote:

If that's his problem, perhaps he shouldn't be on the computer. Under your theory, he has his password stored and doesn't "remember" it.
That's fine. It will still allow him to log on and once logged in, Yahoo does NOT require the entry of one's password a second time in order to change passwords. You merely enter your new password, confirm it and you're done until the next time.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sun, 25 Sep 2016 12:51:44 -0400, burfordTjustice

In my case I don't even have my Yahoo password anywhere. I only use it for one Yahoo group and I just answer the Emailed post. I never actually log in. I have tried recovering the PW but none of my answers match what I wrote 17 years ago when I set up the account.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
snipped-for-privacy@aol.com wrote:

Is it stored in an encrypted password manager program or the web browser for auto login purposes? If the latter, nirsoft utils are your friend. If the former, you'd have to login to your password manager to recover the current password so you can change it to something else...
Oh, one more thing, stop having your web browser store login/passwords for you, if that's something you do.
As you'll learn by using the utils I mentioned, it's obviously, NOT secure. Anyone who has access to your computer with a brain (read: knows how to pull up the passwords using Nirsoft or a variety of other tools) can recover them, with ease.
--
MID: <nb7u27$crn$ snipped-for-privacy@boaterdave.dont-email.me>
Hmmm. I most certainly don't understand how I can access a copy of a
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 12:14 PM, Unquestionably Confused wrote:

Why? If it has been working, what makes it more vulnerable with time? What makes a new password more secure than an old one? Maybe the new one is easier to crack.
Given the number of web sites I use it would be an all day job to change them all.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Ed Pawlowski" wrote
| > How difficult is it change passwords? I routinely change mine every six | > months or so. Just change it and move on. | | | Why? If it has been working, what makes it more vulnerable with time?
Did you read about the news? It's a dramatically clear answer to your question. Yahoo was hacked a couple of years ago. Chinese hackers might be scanning your email now, waiting for something like a credit card number or bank account info, or enough personal info to spoof your identity. The passwords might have been sold.
The data was stolen by breaking into Yahoo and stealing their member/password list, not by hacking passwords. If you changed your password periodically you would have been protected for most of the last two years.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sun, 25 Sep 2016 13:10:52 -0400, "Mayayana"

If they look at my Yahoo account, they are just going to see the spam in accumulated over the last 17 years because I never used it I would appreciate them sending me the password tho ;-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 11:59 AM, Ed Pawlowski wrote:

Think about it, Ed. time has nothing to do with it really. There was a breach and the password you may have thought to be secure has been leaked.
If your current password is "jTR653ew$*LvfddseZ+" that is a pretty secure password. However, if there is a data breach on Thursday and that password and your email account/Yahoo account user name is leaked, it's worthless. If you change it to "jghfgfd$#cds@--:<Y" the day after the breach (before some hacking AH changes your old one and locks you out) you are now secure again. (until the next breach)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Unquestionably Confused" wrote
| If your current password is "jTR653ew$*LvfddseZ+" that is a pretty | secure password.
I read an interesting article awhile back saying that one of the best ways to make a password is to just join 4 words. Cracking algorythms necessarily look for patterns. Four words is very memorable to humans, but not a pattern mathematically. For instance: breadtarmacskatesblot
More memorable, yet still seemingly random, things could be invented that mean something only to the inventor. For instance: ruthdoilyxmasbarnard
For your aunt Ruth who like doilies and invites the family every Christmas to her house in Barnard. It's memorable to you but for a computer it's just 20 random characters.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 12:25 PM, Mayayana wrote:

Run those through any password strength meter of your choice and you'll find that they are woefully inadequate
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Unquestionably Confused" wrote
| Run those through any password strength meter of your choice and you'll | find that they are woefully inadequate |
No link. No explanation. Did you have a reason to say that other than impluse or personal instinct? Here's the source:
http://www.baekdal.com/insights/password-security-usability http://www.baekdal.com/insights/the-usability-of-passwords-faq
You can *seem* to make more obscure passwords by adding *, !, etc. And you could add those to the 4 words. The author of the articles linked also uses spaces between words. You could also capitalize some characters. But as long as the password cracker assumes those characters are possibilities it will test for them, so they're no more unique than "a". Menawhile, you have a 20-character password that you can remember.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 1:24 PM, Mayayana wrote:

I don't doubt that somebody wrote that about passwords, but I don't buy it and I don't take it as gospel just because somebody did.
I also didn't include a link to password checker simply because my suggestion was that you run it through any one that you might choose - and there are plenty.
Here's a couple, so go ahead and give it a try. If you find that these don't support your position, go ahead and find some more and try them. Good luck.
http://www.passwordmeter.com/
https://howsecureismypassword.net/
Depending upon which one you use - actually, make that REGARDLESS of which checker you use - you'll find that simply adding a space between the words of your pass phrase will dramatically increase the difficulty of solving.
Then, so long as you're out there trying, try running something like FU2&es&dye! and see what happens. Or, one of my favorites, something like "Hgb^7*?/,<dPoo" (with or without the quotation marks, tho if you use the quotes the time frame runs into the trillions of years<g>)
I use a pass phrase similar to what you suggest (but including some clinkers to increase difficulty) as a Master Password for my password manager. Trust me when I say that no matter how I check it, my Master PW will withstand a couple of billion years of hammering with a computer and the individual passwords for financial accounts and the like will withstand trillions. I feel that's adequate as I doubt that I'll be around much more than 15 or 20 years if I'm really lucky<g>
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Unquestionably Confused" wrote
| I also didn't include a link to password checker simply because my | suggestion was that you run it through any one that you might choose - | and there are plenty. | | Here's a couple, so go ahead and give it a try. If you find that these | don't support your position, go ahead and find some more and try them. | Good luck. |
I did. If you'd bothered to check yourself you would have found that a 20 character password is considered very strong, no matter what the characters. Such password checkers are of little value for anything other than learning basic rules. They're just simple scripts that assign points based on unusual characters, length of password, etc. An OSS example that can be downloaded is here:
http://rumkin.com/tools/password/passchk.php
If you try that you'll find that anything over about 12-13 characters is rated strong, even if it's just 13 lower case alphabetic characters. As I noted before, it's been a long time since unusual characters were worth much. Many places now require upper and lower case, at least one number, and at least one unusual character. So any worthwhile cracker has already increased its check from 62 alphanumeric characters to include a dozen or so more. Those other characters, like #>1, may look exotic, but all characters are just numeric byte values.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 11:24 AM, Mayayana wrote:

I use Yahoo's Two-step verification. Even if the perp knows my simple password he won't be able to bring up my account on a strange machine.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"AL" wrote
| I use Yahoo's Two-step verification. Even if the perp knows my simple | password he won't be able to bring up my account on a strange machine. |
Isn't that for when you change your password? I assume you don't answer a security question every time you log on.
The issue here is that passwords were stolen and Yahoo didn't know or didn't tell people. So the thieves could have been logging into any Yahoo account over the past two years without being noticed.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 5:25 PM, Mayayana wrote:

No. It has nothing to do with changing the password.
When I log into Yahoo from a strange (unknown to Yahoo) computer, Yahoo verifies it's me by texting me a code on my cell phone. When I enter that code on the strange machine it becomes a known machine and from that point on there is no more Two-step verification necessary to access my account on *that particular computer*.
Anyone trying to log in to my account from a strange computer will be unsuccessful even if they know my password because they don't have my cell phone for the verification code.

Correct.

I agree that's bad. But the issue here is also how to protect yourself now. I suggest activating Two-step verification.

With Two-step verification I would notice an *attempt* to log on to my account because I would get an unasked for text code.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"AL" wrote
| When I log into Yahoo from a strange (unknown to Yahoo) computer, Yahoo | verifies it's me by texting me a code on my cell phone. When I enter | that code on the strange machine it becomes a known machine and from | that point on there is no more Two-step verification necessary to access | my account on *that particular computer*. |
That's a clever idea. I had no idea that webmail companies were now tagging devices. I guess that makes sense, since many people are now checking their email mainly from a phone, rather than from constantly changing desktops in hotels and workplaces.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/26/2016 8:14 AM, Mayayana wrote:

Actually, it's not the devices they are "tagging", it's the IP address which you are using. If I log in from either home or office where I have static IP addresses, I don't get the verification. If I log in from any other location, a pass code is sent to my smart phone and I have to enter it on the computer before my regular log in credentials are accepted.
Some systems look for a specific IP address while other will allow for a certain range (in the case of a dynamic IP address assignment by your provider).
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.