“123456, password, welcome” – Yahoo Password Posted Online July 12, 2012Posted by Chris Mark in News, PCI DSS, Risk & Risk Management.
Tags: data breach, encryption, hash, InfoSec, markconsultinggroup.com, password, risk, security, yahoo
A story today on MSNBC says that Yahoo Voices was compromised and 450,000 usernames/password posted online. Not surprisingly, the passwords were not hashed or otherwise protected using encryption. While the posting of passwords is nothing new what is interesting is what the researchers found when looking at user generated passwords. The most common passwords were ‘123456’ followed by ‘password’ and ‘welcome’. Fully 1/3 of the passwords used lower case letters only. Here is where I get on my soapbox. According to the story:
“Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.”
First, strong passwords would not have helped because YAHOO WAS STORING THEM IN CLEARTEXT!..and they were stolen! Second, the company should enforce strong passwords. While all users should use strong passwords, when dealing with 450K users it is prudent to understand that either some users aht a will not understand what a strong password is or will simply ignore the directions. Yahoo should have forced strong passwords…