Yahoo Breach Highlights Password Reuse Threat - Security - News & Reviews - eWeek.com | eWeek

Yahoo Breach Highlights Password Reuse Threat

Verfasst von
eweekdev
eweekdev
Jul 13, 2012
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

By: Robert Lemos

The leak of nearly half a million passwords from Yahoo Voices underscores that many online providers have a ways to go before they can properly secure their users. The breach also highlighted the fact that many people continue to put their information in danger by using the same password on multiple accounts, according to an analysis of the leaked file published July 12.

By finding account holders with the same email address, security professional Troy Hunt matched users listed in the recently leaked Yahoo Voices password file and a similar file leaked last year in the attack on Sony’s online properties. The technique matched 302 users in the two files, of which 59 percent used the same password on both sites.

“Password reuse remains rampant even after the same password had already been breached elsewhere a year earlier,” said Hunt. The analysis “demonstrates a high prevalence of reuse across entirely autonomous systems.”

Hunt has made a habit of analyzing password files to shed light on the underlying choices users are making with their passwords. By comparing the password file leaked in the Sony breach to another file leaked in the 2010 breach of online media site Gawker, Hunt found 88 accounts in common, two-thirds of which used the same password.

In the past, security professionals have urged people to use strong passwords with at least eight characters, no common dictionary words and using the full character set including uppercase letters, numbers and special characters. Yet such passwords are difficult to remember, leading users-if they followed the rules at all-to recycle passwords across accounts.

With people increasingly using online accounts to store data, security experts have focused on getting users to assign unique passwords to every account.

For companies, it’s a difficult problem. They cannot police their employees’ password use outside the corporate firewall, so businesses need to make sure that their workers follow the rules necessary to allow secure access. To protect important corporate resources, businesses should require a second factor of authentication, such as a one-time password generated by a keyfob or a smart card.

Equally important is to ensure that the rules are followed across the company, says Bryan Sartin, director of the RISK Intelligence group at Verizon. Nearly half of all breaches involved guessing passwords or taking advantage of default credentials, and about a third involved stolen log-in credentials, according to the 2012 Verizon Data Breach Investigations Report. Many times, a weak account or set of accounts is targeted by the attacker, said Sartin.

“We see situations where you have a remote-access breach and 99.9 percent [of the workforce] are required to use two-factor authentication, but there is just one select group of accounts-some of which are in it by accident, others are special administrative accounts or special executives-and they have things like one-character passwords,” said Sartin. “Guess which accounts are the point of access in a data breach?”

Strong passwords are needed, as well, because breached online services tend to scramble users passwords, if not always correctly. LinkedIn, for example, used a hash function to secure its password file, which was stolen and published to the Internet in June. Yet the company did not use a technique, known as salting, to further randomize-and thus, secure-the resulting file.

“LinkedIn taught us that strength is important, while Yahoo teaches us that uniqueness is important,” said Hunt.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.