OT Yahoo breach

How difficult is it change passwords? I routinely change mine every six months or so. Just change it and move on.

The problem might be, if you do not know your password (it is stored on the PC) you can't change it.

Why? If it has been working, what makes it more vulnerable with time? What makes a new password more secure than an old one? Maybe the new one is easier to crack.

Given the number of web sites I use it would be an all day job to change them all.

If that's his problem, perhaps he shouldn't be on the computer. Under your theory, he has his password stored and doesn't "remember" it.

That's fine. It will still allow him to log on and once logged in, Yahoo does NOT require the entry of one's password a second time in order to change passwords. You merely enter your new password, confirm it and you're done until the next time.

In my case I don't even have my Yahoo password anywhere. I only use it for one Yahoo group and I just answer the Emailed post. I never actually log in. I have tried recovering the PW but none of my answers match what I wrote 17 years ago when I set up the account.

"Ed Pawlowski" wrote

| > How difficult is it change passwords? I routinely change mine every six | > months or so. Just change it and move on. | | | Why? If it has been working, what makes it more vulnerable with time?

Did you read about the news? It's a dramatically clear answer to your question. Yahoo was hacked a couple of years ago. Chinese hackers might be scanning your email now, waiting for something like a credit card number or bank account info, or enough personal info to spoof your identity. The passwords might have been sold.

The data was stolen by breaking into Yahoo and stealing their member/password list, not by hacking passwords. If you changed your password periodically you would have been protected for most of the last two years.

Think about it, Ed. time has nothing to do with it really. There was a breach and the password you may have thought to be secure has been leaked.

If your current password is "jTR653ew$*LvfddseZ+" that is a pretty secure password. However, if there is a data breach on Thursday and that password and your email account/Yahoo account user name is leaked, it's worthless. If you change it to "jghfgfd$#cds@--:

"Unquestionably Confused" wrote

| If your current password is "jTR653ew$*LvfddseZ+" that is a pretty | secure password.

I read an interesting article awhile back saying that one of the best ways to make a password is to just join 4 words. Cracking algorythms necessarily look for patterns. Four words is very memorable to humans, but not a pattern mathematically. For instance: breadtarmacskatesblot

More memorable, yet still seemingly random, things could be invented that mean something only to the inventor. For instance: ruthdoilyxmasbarnard

For your aunt Ruth who like doilies and invites the family every Christmas to her house in Barnard. It's memorable to you but for a computer it's just 20 random characters.

If they look at my Yahoo account, they are just going to see the spam in accumulated over the last 17 years because I never used it I would appreciate them sending me the password tho ;-)

Given the exhaustive search or dictionary attack scenario, changing the password would make the already tried and failed passwords viable again, so the attacker would have to start over again.

Run those through any password strength meter of your choice and you'll find that they are woefully inadequate

"Unquestionably Confused" wrote

| Run those through any password strength meter of your choice and you'll | find that they are woefully inadequate |

No link. No explanation. Did you have a reason to say that other than impluse or personal instinct? Here's the source:

You can *seem* to make more obscure passwords by adding *, !, etc. And you could add those to the 4 words. The author of the articles linked also uses spaces between words. You could also capitalize some characters. But as long as the password cracker assumes those characters are possibilities it will test for them, so they're no more unique than "a". Menawhile, you have a 20-character password that you can remember.

And your "new" password may be the next one tried and thus cracked. Not so sure it improves the odds.

Sure, but the idea behind exhaustive search is not the same as behind random tries, it reduces the effective keyspace after each try. If the entire keyspace can be searched in a year, the average time to break is six months. If you change the password every three months they may never hit the mark. This definitely does improve your odds.

I don't doubt that somebody wrote that about passwords, but I don't buy it and I don't take it as gospel just because somebody did.

I also didn't include a link to password checker simply because my suggestion was that you run it through any one that you might choose - and there are plenty.

Here's a couple, so go ahead and give it a try. If you find that these don't support your position, go ahead and find some more and try them. Good luck.

Depending upon which one you use - actually, make that REGARDLESS of which checker you use - you'll find that simply adding a space between the words of your pass phrase will dramatically increase the difficulty of solving.

Then, so long as you're out there trying, try running something like FU2&es&dye! and see what happens. Or, one of my favorites, something like "Hgb^7*?/,

I use Yahoo's Two-step verification. It makes a dictionary attack useless on a strange machine.

I use Yahoo's Two-step verification. Even if the perp knows my simple password he won't be able to bring up my account on a strange machine.

If they hacked the server, all they would likely have to do is exhaust the hash's keyspace no matter how many parts were involved in the hash's creation. They've had two years in this case, but it could have been worse.

"Unquestionably Confused" wrote

| I also didn't include a link to password checker simply because my | suggestion was that you run it through any one that you might choose - | and there are plenty. | | Here's a couple, so go ahead and give it a try. If you find that these | don't support your position, go ahead and find some more and try them. | Good luck. |

I did. If you'd bothered to check yourself you would have found that a 20 character password is considered very strong, no matter what the characters. Such password checkers are of little value for anything other than learning basic rules. They're just simple scripts that assign points based on unusual characters, length of password, etc. An OSS example that can be downloaded is here:

If you try that you'll find that anything over about

12-13 characters is rated strong, even if it's just 13 lower case alphabetic characters. As I noted before, it's been a long time since unusual characters were worth much. Many places now require upper and lower case, at least one number, and at least one unusual character. So any worthwhile cracker has already increased its check from 62 alphanumeric characters to include a dozen or so more. Those other characters, like #>1, may look exotic, but all characters are just numeric byte values.