Random Thoughts about Passwords

Randal Munroe’s comic about password strength this week is classic xkcd.

It immediately reminded me of 1Password, which I use and love, and Agile Bits, the maker’s of 1Password, actually posted about the comic as well, breaking down some of the math and cryptography.

About a month ago, all IMAP connections to my Yahoo Mail account, which I use mostly as a dummy account, stopped working. On iOS, I was prompted to login via the web mail to fix the issue, and upon doing so, I got a scary message that my account had probably been compromised.

Seems odd, given that I use 1Password for strong credentials, but it was one of those uh-oh internet moments.

After changing my password immediately, I spent the better part of an hour trying to locate a way to reach Yahoo customer support to get a debrief of why they thought someone had hacked my account. I finally found a form to submit, and right away, I got a form reply, listing common ways accounts are compromised, e.g. getting phished, using the same password, letting third parties use your account, forgetting to sign out at a public location, having a keylogger on your system.

Great, except I’m not a n00b and don’t do any of those things, and if I had a keylogger snooping, it couldn’t have pulled my Yahoo password, since I never actually type it. 1Password handles the form filling. I suppose a keylogger could have used my master password to get a dump of all my accounts, but I think I would have noticed other accounts acting strangely.

I replied to Yahoo thanking them for the form letter and asking again they share the evidence that suggested my account was compromised.

Finally, yesterday, I got a response, another form letter pointing to help links and apologizing for delay in reply.

Thanks for nothing.

I’m guessing something happened with Yahoo’s IMAP servers that suggested my account was hacked, or maybe they had a leak somewhere and lost a bunch of account data.

Either way, the end result proves how very far Yahoo has fallen. I think they’re an interesting example of what happens to an internet company when the bell curve users arrive.

Anyway, no real thread here other than passwords. Account security and management is an area ripe for innovation. As much as I love 1Password, I wouldn’t put my wife on it, too much hassle, especially on mobile. They do a great job, but the mobile solution is a bit too complicated for the average user.

Thoughts on passwords?

Find the comments.

AboutJake

a.k.a.:jkuramot

6 comments

  1. One item that can cause these false positives is rapid connections from apparently different geographic locations. If you login from a hotel in Mexico and an hour later from an IP in Redmond it can flag a warning. VPN is a valid reason for those things to crop up.

  2. I’ve had issues like this with Yahoo since the early or mid 90’s (I can no longer remember, but I might just have some emails…).  Originally, I assumed it was just some VMS password expiration thing, but since it’s happened to me every few years since then I decided they are simply incompetent admins.  Since it usually wasn’t something I particularly cared about, I would try the password recovery, which never, ever worked, complain to whatever support I could find, which never, ever worked, and find that a few days or weeks (or years, in the case of my sdoug newsletter login) later it would mysteriously start working again, unchanged.

    When flickr merged in and I had to go through it all again, that was different, I paid for that.  But the end result was the same.  I still get asked to merge accounts, as recently as two days ago.  As Rocky always said, That Trick Never Works.

    Thanks for the math breakdown link, I think my kid is ready for it.  He was top score in his honors Math Analysis last year, the only freshman in a class of juniors and seniors, and is about to start statistics (I forget if it is honors or AP, school system has dumb rules about who can take AP exams).  And that xkcd is just excellent.

  3. Sure, but I still don’t know anything other than Yahoo thinks my account was hacked. They haven’t bothered to provide any information false positive or otherwise. Fail.

  4. Yahoo lost its way early and has never recovered. I don’t particularly care about my Yahoo account, but it’s mildly distressing and very annoying that their security support is made up of form letters.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.