Randal Munroe’s comic about password strength this week is classic xkcd.
It immediately reminded me of 1Password, which I use and love, and Agile Bits, the maker’s of 1Password, actually posted about the comic as well, breaking down some of the math and cryptography.
About a month ago, all IMAP connections to my Yahoo Mail account, which I use mostly as a dummy account, stopped working. On iOS, I was prompted to login via the web mail to fix the issue, and upon doing so, I got a scary message that my account had probably been compromised.
Seems odd, given that I use 1Password for strong credentials, but it was one of those uh-oh internet moments.
After changing my password immediately, I spent the better part of an hour trying to locate a way to reach Yahoo customer support to get a debrief of why they thought someone had hacked my account. I finally found a form to submit, and right away, I got a form reply, listing common ways accounts are compromised, e.g. getting phished, using the same password, letting third parties use your account, forgetting to sign out at a public location, having a keylogger on your system.
Great, except I’m not a n00b and don’t do any of those things, and if I had a keylogger snooping, it couldn’t have pulled my Yahoo password, since I never actually type it. 1Password handles the form filling. I suppose a keylogger could have used my master password to get a dump of all my accounts, but I think I would have noticed other accounts acting strangely.
I replied to Yahoo thanking them for the form letter and asking again they share the evidence that suggested my account was compromised.
Finally, yesterday, I got a response, another form letter pointing to help links and apologizing for delay in reply.
Thanks for nothing.
I’m guessing something happened with Yahoo’s IMAP servers that suggested my account was hacked, or maybe they had a leak somewhere and lost a bunch of account data.
Either way, the end result proves how very far Yahoo has fallen. I think they’re an interesting example of what happens to an internet company when the bell curve users arrive.
Anyway, no real thread here other than passwords. Account security and management is an area ripe for innovation. As much as I love 1Password, I wouldn’t put my wife on it, too much hassle, especially on mobile. They do a great job, but the mobile solution is a bit too complicated for the average user.
Thoughts on passwords?
Find the comments.