Question: Should I change my Yahoo password?
Answer: You probably don't need to on account of last week's password breach. But this incident - following earlier security failures at LinkedIn and eHarmony- should be all the motivation you need to give your passwords a check-up.
The breach did not involve Yahoo's core consumer operations, such as its eponymous Web-mail service or its Flickr photo-sharing site. Instead, it affected Yahoo Voices, a library of articles, photos and videos cranked out by outside contributors that went by the name Associated Content until Yahoo bought that site for a reported $90 million in May of 2010.
In an apologetic post on its corporate blog, Yahoo explained that hackers got access to "an older file containing approximately 450,000 email addresses and passwords" predating that acquisition.
Back then, Associated Content let users sign up with logins from other sites, including Yahoo and also Google's Gmail and Microsoft's Hotmail. That company failed to take the basic step of encrypting this account database.
CNet's Declan McCullaugh obtained a copy of that database and found that it included 137,559 Yahoo accounts and 106,873 Gmail credentials. McCullaugh also noted some horribly weak passwords - 780 were just the word "password."
You can see if your account was among those compromised by checking your e-mail address at a page set by Sucuri Malware Labs, a Menifee, Calif., security vendor: http://labs.sucuri.net/?yahooleak.
Even if it's safe, you should then revisit your current passwords to make sure they follow these guidelines:
- Don't reuse passwords across multiple sites. I know, having to memorize all of these separate passwords is a pain. So does losing access to multiple sites at once. (You could argue that it's okay to reuse passwords at sites that don't secure anything important, but why get in the habit?)
-You don't need to change your password every 30 or 90 days or whatever; either it's safe or it's not. Companies that enforce these rules waste people's time and encourage them to pick shorter, more memorable passwords that are also easier to crack.
- A long password made up of real words is more secure than a short one composed of alphanumeric babble. As I've written here before (and as xkcd Web-comic author Randall Munroe noted last summer), the length of passwords is more important than their inscrutability.
- If you have to save or write down passwords, make sure whatever stores them is secure. You have three basic choices: Save them in your browser, then have a strong password locking your computer; save them in a third-party app like LastPass or 1Password; write them on a piece of paper and carry that in your wallet, which you presumably already know to keep safe.
- If you use Gmail for important business, think seriously about enabling Google's "two-step verification" to stop somebody from taking over your account just by stealing your password.
Finally, make sure you've got password-recovery options set up for all of your important accounts. At Yahoo, Gmail and Hotmail, for example, you can add your mobile phone number to allow a password reset through an exchange of text messages.
Tip: On the Web, leave on the last "s" for security
Once you're done with passwords, you can greatly increase your security at some popular sites by changing one other setting. Called such abbreviation-heavy names as "always-on HTTPS" and "site-wide SSL," this extra step encrypts your entire session - not just your log-in, but everything you do at a site until you log out - to ensure that nobody can eavesdrop or capture your credentials using tools like Firesheep.
Some sites have already taken this step for you: At Gmail, this has been the default setting since early 2010, and Twitter made it standard in February.
But most of the time, you need to wander into your settings. Facebook is working on making sitewide encryption its default, but for now you have to visit the security section of your Account Settings page and enable "Secure Browsing." To enable this at Microsoft's Hotmail, visit https://account.live.com/ManageSSL and choose "Enable HTTPS automatically."
Yahoo Mail, however, does not offer this option.
By Rob Pegoraro