Friday, 23 September 2016

Yahoo got hacked

And 500 million account details were stolen. It's the biggest heist ever.

Yahoo are blaming it on state-sponsored hacking from an unnamed foreign country. I don't really see how they can know that. They can maybe see where the hack originated, but to leap from that to "state-sponsored" is a reach. But it sounds so much better than "Some kid in his bedroom in Bulgaria", so they went with state-sponsored.


Yes, I have an email account on Yahoo. So I went there to change the password. What I'd really like to do is delete the account, but there's no way to do that, because Yahoo (and similar companies) like to boast about how many users they have.

So I deleted the phone number I'd given (although my phone number isn't a secret anyway) and I deleted the "security questions".

Actually, I don't care even if that account did get hacked. There's nothing that says it's me, I don't think I've *ever* used it, and the password was not something I've used elsewhere.

Which brings me to a couple of points.

1) I hope you see now, why it's a very bad idea to use the same password in more than one place. If you had a yahoo account, and used the same password there as elsewhere, your password elsewhere is compromised also.

2) Yahoo have a couple of "security questions". That's so they can verify your identity in case you forget your password, which must happen a lot. But if you think about it, those security questions amount to an alternative password.

So if a bad person knows either your Yahoo passord, *or* your mother's maiden name, they can access your account. So it follows that your mother's maiden name (or whatever other alternative they use) should not be the same on different places. On your bank site, for example, your mother's maiden name might be "Kennelworthy", on Paypal it might be "Horseposture" and on Yahoo it might be "Youvebeenhacked".  You can have a lot of fun making up mother's maiden names!

But how do you remember all these different passwords and all these different mother's maiden names? The answer is obvous, and I've been telling people this for 30 years. Write them down.

Yes, I know that this isn't 100% secure, but it's a lot more secure than using the same password, or mother's maiden name, at multiple places.

And you can make it more secure. What I do, is as well as letters, I have a few numbers. And I also have a "magic number", which I don't write down. I subtract the magic number from the numbers in the password, and write that down. So if someone steals my list of passwords, they'll be disappointed when they try them.

You can do something similar; some straightforward modification to what you write down, which you can mentally reverse when you use it.

Because Yahoo is the biggest so far, but won't be the last.

No comments:

Post a Comment