Yahoo Wants To Kill Passwords With Revamped Mail App

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Yahoo wants to kill passwords? That should be easy, Yahoo kills almost everything it touches. :D All joking aside, how is this approach to "killing passwords" safe if someone steals you phone?

One of the features enables people to log in to their email accounts without a password. You go to mail.yahoo.com, enter your user name and press "continue." That's where everything changes. Instead of entering an annoyingly complex or easy-to-crack password, the company sends an alert to your smartphone and asks if you'd like to sign in. Hit "yes," and presto.
 

Babbster

[H]ard|Gawd
Joined
Jan 13, 2006
Messages
1,434
All joking aside, how is this approach to "killing passwords" safe if someone steals you phone?
Maybe, maybe not. Me, I don't think it makes much of a difference. Someone who steals the phone should have to crack the lockscreen code, have reason to get into the owner's e-mail, and get the username - all before the owner disables the phone (I'd be on Google to disable my Nexus in minutes if someone swiped my phone) and/or contacts their cell phone provider.

Now, I'd rather lose at mumbley-peg than use Yahoo but identity verification via phone is probably as secure as anything. More than one of my online accounts uses my phone number as a backup to reset my password and my e-mail is already accessible if the lockscreen can be [by]passed, so this feature certainly wouldn't make me any less secure.
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
15,454
"Annoyingly complex" password?

Use a easy to remember "phrase" It has been proven time and time again that stupidly complex passwords are no more secure than a regular password.

Google and other companies already support dual authentication.

Why not just set it up so you have to approve every different computer you want to use for your account like Google does?

And what if the person doesn't have a smart phone? What then?
 

mynamehere

[H]ard|Gawd
Joined
Jun 30, 2007
Messages
1,763
Yahoo wants to kill passwords? That should be easy, Yahoo kills almost everything it touches. :D All joking aside, how is this approach to "killing passwords" safe if someone steals you phone?

One of the features enables people to log in to their email accounts without a password. You go to mail.yahoo.com, enter your user name and press "continue." That's where everything changes. Instead of entering an annoyingly complex or easy-to-crack password, the company sends an alert to your smartphone and asks if you'd like to sign in. Hit "yes," and presto.
And if you don't have a smartphone? Guess they never thought about that.
I'm really tired of all these companies assuming that everyone has a smartphone and broadband.
 

pavementeater

Limp Gawd
Joined
Apr 30, 2007
Messages
152
They are layering a yahoo accounts with the lazy boy login setup... click here to send a request to your phone so you can then click yes on your MMS text to let u login into your yahoo mail / account.
So now your family and friends who are gullible and or to lazy to really double check where and what is send them mms txt will be open to having there phone hacked ... I can see this winding up as a big huge Social Engineering Pie ...
Next up on tonight's news ****
Yahoo was hacked and had all their users phone data taken.
Trish: Our viewer should feel safe an don't worry over it ,it was only users phone numbers.
Chuck : Gee Trish thank goodness it wasn't their personal stuff like SNs.
Bob: Yea Chuck your right, oh wait I just got a text from my yahoo account let me click ok to its request...
Hour later
Bob : Hello this is bob , Hi bob this is Sal from Chase bank we just had 200 transaction on your CC , it seem you've maxed out all your cards. There are still 3 other transaction that we will not be able to process. Would you like us to increase you cc limit?

To lazy to proof read :p
 

Babbster

[H]ard|Gawd
Joined
Jan 13, 2006
Messages
1,434
And if you don't have a smartphone? Guess they never thought about that.
I'm really tired of all these companies assuming that everyone has a smartphone and broadband.
Who said they're making that assumption? Should those with smartphones not have options because others don't have them?

Reading the article helps, too.
If people lose their phones or their battery dies, they can still log in using traditional passwords or through email.
 

Merc1138

2[H]4U
Joined
Sep 25, 2010
Messages
2,128
Use a easy to remember "phrase" It has been proven time and time again that stupidly complex passwords are no more secure than a regular password.

Yeah, I'll just use passphrases(I agree, they're a great idea) for things that have password character limits of 12 or less(one place I do business with has a password maximum character limit 8, wtf).
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
15,454
Yeah, I'll just use passphrases(I agree, they're a great idea) for things that have password character limits of 12 or less(one place I do business with has a password maximum character limit 8, wtf).

So you can still use something that is easy to remember.

You can even abbreviate words.
 

scojer

[H]F Junkie
Joined
Jun 13, 2009
Messages
8,994
So now not only will you get spam mail, but you'll get 10x more telemarketer calls.
 

pavementeater

Limp Gawd
Joined
Apr 30, 2007
Messages
152
Yeah, I'll just use passphrases(I agree, they're a great idea) for things that have password character limits of 12 or less(one place I do business with has a password maximum character limit 8, wtf).
Length or complexity of a password is pretty much mute ... if it's a password or any type of login system it can be circumvented and unlocked... There are to many sites and systems that allow several failed login attempts...to me sites/ systems should lock out an account after the 2nd or third failed attempt.
I do give credit to the website that use layered accesses or other login checks like local cookie check , IP check etc .
 

Merc1138

2[H]4U
Joined
Sep 25, 2010
Messages
2,128
So you can still use something that is easy to remember.

You can even abbreviate words.

Abbreviating words isn't the point, you're still just making a short password. If you still don't understand why a long password with simple character selection is better than some idiotic max length of 16, 12, or even 8 characters, read this: http://xkcd.com/936/

The issue of brute forcing passwords that pavementeater brought up is also something that needs to be corrected(why are there so many services that don't lock out after failed attempts? At least do it temporarily or require a password reset), but with much longer pass phrases it would be slightly less of a concern(assuming people didn't all just pick the same stupid passphrase, but that's a separate matter).
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,530
I was going to say Yahoo fucking wants my cell number every god damn time I sign into Yahoo mail (once every month or two) and I'm like, um fuck that...
 

nilepez

[H]F Junkie
Joined
Jan 21, 2005
Messages
11,827
And if you don't have a smartphone? Guess they never thought about that.
I'm really tired of all these companies assuming that everyone has a smartphone and broadband.

It sounds like it's a text message that your reply to. If so, then you can do that on your dumb phone too, but you better lock it.
 

ZeqOBpf6

Gawd
Joined
Aug 24, 2014
Messages
843
Abbreviating words isn't the point, you're still just making a short password. If you still don't understand why a long password with simple character selection is better than some idiotic max length of 16, 12, or even 8 characters, read this: http://xkcd.com/936/

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62% -- in a few hours. It's the same sort of thing we saw in 2012, 2007, and earlier. If there's any new news, it's that this kind of thing is getting easier faster than people think.
 

Merc1138

2[H]4U
Joined
Sep 25, 2010
Messages
2,128
Well yeah, when you have the hashes it's a different story. You're not going to brute force a 40 character password anywhere near that fast even if the system doesn't lock you out.
 

pavementeater

Limp Gawd
Joined
Apr 30, 2007
Messages
152
Well yeah, when you have the hashes it's a different story. You're not going to brute force a 40 character password anywhere near that fast even if the system doesn't lock you out.
the 40 character password tends to fall on lazy deaf ears, I've gotten to the point with my users to just tell them to become simpleminded and backwards with their passwords... if you have to use names and dates of someone close or familiar pins with a password just do them written backwards and nonconsecutive, billy bubba joe =yllibeojabbub. If they have do a 123 at least use a number in order with prime numbers or some of the more common prime number mix 2937 5927 , bla bla bla. .
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
Yeah, I'll just use passphrases(I agree, they're a great idea) for things that have password character limits of 12 or less(one place I do business with has a password maximum character limit 8, wtf).

It's OK, I think the DMV for Nevada (or another government system, I can't recall)
not only prevented characters, they had strict requirements for length. It had to be 8 long, no shorter or longer.

There's some really stupid password policies out in the wild.
 

GaryJohnson

[H]ard|Gawd
Joined
Feb 1, 2010
Messages
1,053
Well yeah, when you have the hashes it's a different story. You're not going to brute force a 40 character password anywhere near that fast even if the system doesn't lock you out.

It depends on how you came up with the 40 characters. XKCD's passphrase thing is dependent on the number of words and how uncommon they are.

Here's a common word list:
https://github.com/first20hours/google-10000-english/blob/master/20k.txt

You get a number of bits of entropy for each word equal to the log base 2 of how high it is in that word list (rounded up). correcthorsebatterystaple, for example, is 11+11+11+14 = 47 bits.

Which, by the way, is not nearly enough bits. XKCD uses 1000 guesses per second as a metric and there are high-end multi-gpu desktops out there now that can do 250 billion guesses per second. 47 bits would take ~10 mins to bruteforce on one. If you picked something around 80+ bits to be safe, then you'd need 12+ truly random characters from your keyboard or a passphrase with ~8 random ~11-bit entropy words.

correcthorsebatterystaple isn't all that random either. As the picture in the comic shows, "correct" kind of modifies "horse" (the horse is correct) and "battery" kind of modifies "staple" (it's a battery staple). It's easier to remember because of those relationships. Those relationships could make it easier for an algorithm to guess.
 
Top