This is why Yahoo and others have been trying to force people to use OAuth instead of collecting passwords for forever. But due to "UX" people often just grab the passwords and forward them to Yahoo to authenticate.
Of my three yahoo accounts that I have, one was compromised. The account that was compromised has only been used with Craigslist and snapchat. I wonder if this is related to a snapchat breach?
Not to mention how junky their webmail interface looks. With large image ads plastered all over, I just can't imagine looking at that every time I check my e-mail.
It's called adblock. I can't imagine living without Yahoo's tabbed email interface. Google is creepy enough as it is, the last thing I'm giving them is my email.
What's new? My old yahoo address that I made when I was 12 has been hacked 3 times. All within the last 4 years. I use complex passwords. I don't have any issues with anything other than yahoo.
A NOTICEABLE amount of the time I log into my yahoo account I get an error or my email wont load. Sometimes I try to check my mail on my iPad and half the time my mail wont load.
This story is more than two days old already. What's it doing on the HN front page? (I changed all my more crucial passphrases more than a day ago, just out of an abundance of caution.)
I got a very strange text message purporting to be from Yahoo!. I ignored it, thinking that, at the very least, it was an attempt to grab logins during some DNS poisoning attack.
Yahoo are still huge. I don't know if Gmail's passed them in users yet, but as of a year or so back, on a large (and admittedly old) general corpus, Yahoo was at least 2x larger than the next largest service provider.
Given technical debt and other management issues, they're a somewhat appealing target (lots of payoff, possibly easier to hack than better-managed systems).
Not that other providers haven't been hacked as well.
Could be that the typical Yahoo mail user is less technically savvy than the users of other email providers and more prone to making mistakes which makes it easier for the account to be hacked.
Wow I had the feeling it mus have been in the 90s when I checked my yahoo mail account last time but this thing exists since 2004/2007. Time/designs change so fast.
The problem with two-factor is that if user forgets the device the options to bypass two-factor can be limited and inconvenient. If I happen to be using a public computer because I need to retrieve something urgently from my email, Google will make it so hard that I can't access it immediately. (https://support.google.com/accounts/answer/185834?hl=en&ref_...)
Password seems broken for two reasons:
1. password requirement varies and is a pain in the ass. Some sites will ask for at least 8 characters, mix of uppercase and lowercase, one occurence of non-alphanumeric character and the password is at least certain length. Some even go as far as no repeating characters or max password length (8-15 characters).
While the intention is great, it makes password so hard to remember and people are less likely
2. every website runs its own password management. How the heck can I tell website X is actually hashing my password and doing it correctly? I can't.
Persona - single identity is probably the way to go. Adding multi-factor auth will be great. But again, I argue that password by itself is not entirely broken. If the attacker can access the database directly by ssh into the server, then there is also a possibility that the app server can be compromised and therefore alerting app code is just a finger tip away. This is the highest level of attack and the story is over at this stage.
I personally think password is not entirely broken. It has value. By itself it may not be as strong as having multi--step authentication. Authenticating yourself with key-only, or device-key only is the worst thing ever. It's like running EC2 instance. If I delete the instance's key off my computer, I will cry.
So keeping infrastructure secure is important. Multi-factor authentication on the server side is critical. Keeping database apart from app server is too critical.
I probably should have been more explicit in my comment. I think that passwords in theory can be OK. In a perfect world where websites use strong password hashes, and users don't use easily guessed passwords, or share passwords across sites, or fall for phishing and other social engineering hoaxes, they work.
The problem is that never happens. I think at this point we need to admit that human nature being what it is, it will not happen. So we need to move away from passwords being the sole authenticator for online services.
