infosec
- Turn the password manager’s strength settings all the way up and generate a password.
- The website replies “passwords can’t be more than 20 characters long”.
- Adjust the length down to twenty. Generate a new one and send it to the website.
- The website replies “passwords may only contain the special characters ‘$_!#’.
- Adjust the number of symbols down to zero. Generate. Try again.
- The website replies “passwords must contain at least two special characters”.
- Turn the number of symbols back up to two. Click “generate” until you a password that contains punctuation from “$”, “_”, “!”, and “#”, but nothing else. Generate. Try again.
- …and repeat until you’ve appeased the website’s rules.
- Tell 1Password to generate a password for the site you’re currently looking at.
- It fetches the rules file, interprets it, creates a password that satisfies all the requirements, and pastes it in the password field on the site.
- You register for Facebook with your me@yahoo.com email address.
- You forget about that, read about the newest Yahoo user database hack, and delete your Yahoo account.
- A month later, someone else signs up to get your me@yahoo.com email address. They use Facebook’s password reset mechanism to take control of your account, download your private photos, and say nasty things to your friends.
- Oh, and anyone you forgot to share your new address with is still sending personal communications to your old Yahoo address, and its new owner is reading them.
- Read messages from your spouse or partner.
- See your calendar events to know when you’ll be away from the house.
- Take over your account and start resetting every password associated with it, like Facebook, Amazon, and your bank.
- Log into your Yahoo mail.
- Click the little checkbox above your emails to select all of them.
- Click the Delete button to delete all email on that page. If you have lots of messages, you may have to repeat this several times.
- Hover over the Trash mailbox to make the trashcan icon appear. Click the trashcan.
- Confirm that you want to empty your trash.
- Click the settings gear in the top right corner.
- Choose Settings, then Vacation Response.
- Check the box to “Enable automatic response”, and set the Until: year to as far in the future as it will let you.
- Enter a message like:
- Click Save.
- URL (the attacker will have this)
- character set (dropdown gives you 6 choices)
- which of nine hash algorithms was used (actually 13 — the FAQ is outdated)
- modifier (algorithmically, part of your password)
- username (attacker will have this or can likely guess it easily)
- password length (let’s say, likely to be between 8 and 20 chars, so 13 options)
- password prefix (stupid idea that reduces your password’s complexity)
- password suffix (stupid idea that reduces your password’s complexity)
- which of nine l33t-speak levels was used
- when l33t-speak was applied (total of 28 options: 9 levels each at three different “Use l33t” times, plus “not at all”)
A standard for describing a site's password rules
There’s not a universal standard for what a valid password on a website must look like. Some sites allow you to use any four letters. Others require at least twenty characters, including at least one numeric digit and one “special character” (aka punctuation). Even when using a password manager, the process of creating a good one looks a lot like:
I propose instead that websites should document their password rules in a standardized, machine-readable manner. For instance, suppose that each site hosted a file in a pre-defined location, like /.well-known/password-rules.yaml
, in a format such as:
max_length: 64
min_length: 8
allowed_symbols: "$#@!"
min_symbols: 1
min_upper: 1
min_lower: 1
min_digits: 1
matches: "^[a-z]+(.*)+$"
Then tools like 1Password could look for that file and tune their settings to suit. The new process for creating a password would look like:
Further suppose that the standard defined the calling conventions of a REST endpoint for changing passwords, and the rules file included that URL like:
change_url: /ajax/change_my_password
Wouldn’t it be just lovely if 1Password could automatically update every such website on a monthly basis, or whenever a site announces a security breach?
Purge your Yahoo account (but don't delete it!)
There are about 1.5 billion reasons to want to cancel your Yahoo account. Don’t do that!
According to Yahoo’s account deletion page, they “may allow other users to sign up for and use your current Yahoo! ID and profile names after your account has been deleted”:
This is a terrible policy not shared by other service providers, and there are many scenarios where it’s a huge security problem for Yahoo’s users. For example:
Here’s what you should do instead:
Purge your Yahoo account
It’s time to move on. Yahoo has a terrible security track record and shows no signs of improving.
First, understand what you’ll be doing here. You’ll be removing everything from your Yahoo account: your email, contacts, events, and so on. Permanently. There’s no changing your mind. It’s extreme, sure, but until you do it’s likely that hackers can:
Don’t delete your account. Clean it out!
Secure it
Before doing anything else, change your Yahoo password! Hackers probably have your current one. I’m not exaggerating.
Once that’s done, turn on two-factor authentication (2FA). This can prevent hackers from accessing your account even if they get your password.
Once that’s done, make a note to yourself to turn on 2FA for every other account you have that supports it.
Make your new home
Before you start, you’ll want to create an email account with a new provider. Lots of people like Gmail but pick one that looks good to you. This will be your new home account on the Internet: the email address that you give out to friends and coworkers and that you use to log into websites.
Clear your email
Clear everything else
If you’re like most people, that’s probably 99% of your Yahoo data. You’re not quite done yet, though! Now click through each of the services in the little icons in the top left corner:
They all may have more information stored in them. Each works a little differently but you should be able to figure out how to clean out each one.
Set a vacation reminder
Other email providers make it easy to forward all of your incoming mail to a new account. Yahoo removed that feature recently so you can’t use that convenient approach. Instead, you’ll make a Vacation Response to tell people about your new address.
I may now be reached at me@example.com. Please update your address book. Thanks!
Now anyone writing to you will get a message with your new address, but their email will still land in your Yahoo inbox.
Change your logins
Now go through your web accounts and change all of them where you log in with me@yahoo.com to use your new email address instead. If you use a password manager to keep track of your accounts, this will be easy. Time consuming — thanks, Yahoo! — but easy.
Check back
You’re going to miss a few accounts, and some friends or family will stubbornly insist on sending email to your old address. Set a reminder or mark your calendar to check your Yahoo mail a month from now to see who’s written to you. Update each of those people or accounts, then delete all of your new messages. Check again in another month and then another after that. Eventually this will slow to a trickle and you can forget about your old Yahoo account for many months at a time (or until the next news article about a giant Yahoo hack comes along, and then you can smile to yourself because it doesn’t affect you anymore).
Conclusion
Migrating off Yahoo is a pain in the neck. Google, in contrast, makes it easy to extract all your information and then securely close your account. Yahoo does not. It won’t be quick or painless, but I recommend that you start now.
On Generated Versus Random Passwords
I was reading a story about a hacked password database and saw this comment where the poster wanted to make a little program to generate non-random passwords for every site he visits:
I was thinking of something simpler such as “echo MyPassword69! slashdot.org|md5sum” and then “aaa53a64cbb02f01d79e6aa05f0027ba” using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
I posted a reply but I wanted to repeat it here for the sake of my friends who don’t read Slashdot. If you’ve ever cooked up your own scheme for coming up with passwords or if you’ve used the PasswordMaker system (or ones like it), you need to read this:
DO NOT DO THIS. I don’t mean this disrespectfully, but you don’t know what you’re doing. That’s OK! People not named Bruce generally suck at secure algorithms. Crypto is hard and has unexpected implications until you’re much more knowledgeable on the subject than you (or I) currently are. For example, suppose that hypothetical site helpfully truncates your password to 8 chars. By storing only 8 hex digits, you’ve reduced your password’s keyspace to just 32 bits. If you used an algorithm with base64 encoding instead, you’d get the same complexity in only 5.3 chars.
Despite what you claim, you’re really much better off using a secure storage app that creates truly random passwords for you and stores them in a securely encrypted file. In another post here I mention that I use 1Password, but really any reputable app will get you the same protections. Your algorithm is a “security by obscurity” system; if someone knows your algorithm, gaining your master password gives them full access to every account you have. Contrast with a password locker where you can change your master password before the attacker gets access to the secret store (which they may never be able to do if you’ve kept it secure!), and in the worst case scenario provides you with a list of accounts you need to change.
I haven’t used PasswordMaker but I’d apply the same criticisms to them. If an attacker knows that you use PasswordMaker, they can narrow down the search space based on the very few things you can vary:
My comments about the modifier being part of your password? Basically you’re concatenating those strings together to create a longer password in some manner. There’s not really a difference, and that’s assuming you actually use the modifier.
So, back to our attack scenario where a hacker has your master password, username, and a URL they want to visit: disregarding the prefix and suffix options, they have 6 * 13 * 13 * 28 = 28,392 possible output passwords to test. That should keep them busy for at least a minute or two. And once they’ve guessed your combination, they can probably use the same settings on every other website you visit. Oh, and when you’ve found out that your password is compromised? Hope you remember every website you’ve ever used PasswordMaker on!
Finally, if you’ve ever used the online version of PasswordMaker, even once, then you have to assume that your password is compromised. If their site has ever been compromised — and it’s hosted on a content delivery network with a lot of other websites — the attacker could easily have placed a script on the page to submit everything you type into the password generation form to a server in a distant country. Security demands that you have to assume this has happened.
Seriously, please don’t do this stuff. I’d much rather see you using pwgen to create truly random passwords and then using something like GnuPG to store them all in a strongly-encrypted file.
The summary version is this: use a password manager like 1Password to use a different hard-to-guess password on every website you visit. Don’t use some invented system to come up with passwords on your own because there’s a very poor chance that we mere mortals will get it right.