Well, the title in this article says it all and if you’re like me you probably still can’t believe it.
The error that led to the breach of nearly half a million user passwords from Yahoo was so basic, that the security expert who first spotted it didn’t believe it. “When I first looked at it, I thought it was fake because there’s no way Yahoo would store 450,000 passwords in the clear”
That being said, I’ll remind everyone that Google has a similar faux-pas in 2008. For a quick refresher on that incident check out my blog entry from then: http://jacksonshaw.blogspot.com/2008/09/google-age-and-single-sign-on.html. And, as quoted then:
As an industry we shouldn’t be making the kinds of mistakes we made 15 or 20 years ago.
Well, it seems we’re still making those kind of mistakes. What Yahoo allowed to happen is not only unbelievable but unconscionable. There’s a good article on creating strong passwords but does having a strong password really matter if the password is stored in clear-text on a back-end server somewhere? If some of this doesn’t push us to better use and better integrate two-factor authentication into our lives I am not sure what will.
In the meantime, I’ll go and change my Yahoo password…