Analysis of 400,000+ Stolen Yahoo! Passwords

[Tiberius]

So, if you haven't heard already, users of Yahoo! Voices in the US had their emails and passwords stolen via an SQL Injection. If that wasn't bad enough, the passwords were being stored in the database in plaintext.

I analysed the password list and wrote a report: http://cryptogasm.com/2012/07/analysis-o...passwords/

[Jackalope]

If that wasn't bad enough, the passwords were being stored in the database in plaintext.

This part is criminally stupid.

Users will be users, and bad passwords are for now a fact of life.

That the service is vulnerable to a SQL injection with passwords stored in plain text is so far beyond stupid, when those responsible should be expected to know better. Are they stuck in 1979 or what?

[Tempus]

That was an interesting, if disturbing read.

---

Also, at the bottom of the article I accidentally clicked 'Stars' (I was trying to click a tag!). So I clicked it again, to reverse whatever the star meant and then it went from 0 stars to a -1 star. So then I panicked and tried to get it back to 0 stars with a frenzy of clicking and now it's on -5... I don't know what the hell I did, but I'm sorry. I'm never clicking anything ever again.

[Colanth]

Sounds as if they couldn't afford even high school students to write the site, so they hired someone from a "rent a coder" site. This isn't stupidity, it's orders of magnitude worse. SQL injection? Even WordPress is better than that.

As far as the passwords themselves, that's a real shame, considering that using a different 20 character mixed alphanumeric password for each site is so trivial today - most password programs can generate at least that strong a password, and since they're all stored for future retrieval only one password has to be remembered.

[Angrboda]

Bahahahahahahahahaha! That settles it. I'm changing all my passwords to "princess". Oh god, that is too funny. I'll be giggling about this for days.


I had a recent bit of fun with passwords. I have a Barnes & Noble account. I had acquired a new eReader, so I went to synchronize everything and when I went to sign in, it told me there was no account associated with that name and password. Mysteriously, the device seemed to work fine, but not the PC instance. After another attempt, I was informed that the account has been locked out, and I would need to call their 1-800 number. So, I did so, changed my password after getting their one-time-only password reset email, under prompting via phone. A couple weeks later, I go to log into my account, and it's the same thing. I wasn't locked out, so I went through the online password recovery / change process, but each time the result was the same. So I again called the 1-800 number and went through the same process of interactively changing my password again. Every time, the result was the same: no access. Just sort of offhand like, the CSR Rep asks me how many characters my password was. So I count up the characters and answer, "14." She tells me, oh, if your password is longer than 12 characters, stuff like this happens.

No warning on the password forms. No sanity checking of the input. And a support staff which is apparently largely unaware of the issue.

I was so mad I could just spit.