Landscape

Mail security tips

Posted September 17th, 2008 at 8:00 pm by John Kremer, Yahoo! Mail

Number of Comments 14 Comments / Filed in: Our Users

There are nearly 275 million Yahoo! Mail account holders worldwide.

Since one Yahoo! Mail address is in the news today, I thought this might be a good time to remind everyone about some online safety tips that will help protect your account. (In order to protect the privacy of our users, we can’t get into specific details of any of our users’ accounts — we know you’d want us to do the same for you!).

  • Choose a strong password. It’s like a toothbrush – choose a good one and don’t share it. Your Yahoo! Mail password can be any length and can contain spaces, symbols, or numbers –- letting you come up with something that’s easy for you to remember but impossible for someone else to figure out.
  • Avoid using a complete word from a dictionary (English or otherwise) or a name.
  • Use at least 7 characters. The more the better. A long but simple password can be safer than a shorter complex one.
  • Use a combination of capital and lowercase letters, numbers, and standard symbols (! @ # $ % ^ &, etc.).
  • Don’t use personal information that someone could easily figure out. Avoid a password based on information easily obtained about your (a birthday, your child’s name, your phone number, school name, etc.). Don’t use a password you already use for another account, like your bank account PIN. And don’t’ use your Yahoo! ID (or other username) in any form (reversed, capitalized, doubled, etc.).
  • Avoid the obvious. Attackers tend to first try repeating letters or number sequences (123456). Stay away from “test” or “password.” And when you change your password, which you should do relatively often, don’t just add a number to the end.
  • Create a sign-in seal. Yahoo! and many financial institutions let you personalize your sign-in page to help you make absolutely sure you’re not falling victim to a phishing scam. See a photo of your cat Rupert? You know it’s safe to proceed.

Cybercrime is an industry-wide issue and we’ve been working with the industry in combating it (with innovations like Domain Keys). Rest assured that we take security and privacy very seriously here.

You are the first line of defense. Head over to antispam.yahoo.com and security.yahoo.com for more tips to help you protect your account, your privacy, and your identity.

John Kremer
Vice President, Yahoo! Mail

Tagged:

Rate: 1 Star2 Stars3 Stars4 Stars5 Stars (Average: 4.14 out of 5)
Loading ... Loading ...

Post a commentPost a Comment Bookmark ThisBookmark This Digg ThisDigg This

14 Comments Add your own

Comment GC | September 17th, 2008 at 9:03 pm

I think that implementing SSL in yahoo mail would help too. In fact, i think it is necessary nowadays and needs to be standard. This would be useful so than when one is using cafe or library public wifi and want to sign into yahoo, they would have less fear that someone could steal their password.

Comment JG | September 18th, 2008 at 7:25 am

How does any of this protect against the reason yahoo – palin email hack?

They used the recover the password feature.

How can our accounts be protected when no matter how strong the password is, you are handing it over?

Will one way encryption and password resets be added?

If not will recovery questions become less obvious?

Comment DA | September 18th, 2008 at 1:50 pm

The recovery password feature is weak. On my account, all I have to do is answer one “secret question” and my password can be reset.

And then Yahoo! makes it difficult to change the secret question. I could have the best password in the world, but all a hacker really needs to know is the answer to the “secret question”. Which for some people, could be found on myspace, facebook, or Yahoo! 360.

Yahoo! could do a better job of recovering passwords…

Comment TM | September 19th, 2008 at 6:48 pm

I agree with JG. This is a good opportunity for Yahoo to revise its password recovery option.

As far as I can tell, all you need is a user’s birthday, country, and postal code. It doesn’t matter whether you’ve created a wonderfully long, complex sequence of letters and symbols. It doesn’t matter whether you see the right picture on your log in page. Yahoo, of course, is not alone in needing to beef up its protection of user privacy.

The only solution at this point is for users to provide Yahoo with something other than their actual birthday, postal code, etc. This diminishes the usability of the MyYahoo page, and you might forget these answers, but at least you reduce the chance of a social engineering attack on your account.

Comment M | September 19th, 2008 at 8:22 pm

“And then Yahoo! makes it difficult to change the secret question.”

Difficult? I searched all over the help site and account info page trying to find this setting. Where is it? I don’t think you can change it. The only thing I’ve found to attempt to reduce your exposure to the recovery attack is to use an email address that’s different from your Yahoo! ID AND lie about your birthday, country of residence and ZIP CODE. Once you’ve established an account, the only thing you can change is your ZIP. When recovering a password for an email address that is different from your ID, it will ask for the DOB, country, and ZIP. Pretty weak protection.

Comment M | September 19th, 2008 at 8:27 pm

Ahhh… I found the place to request a reset. Wow. Still not as easy as it should be.

help.yahoo.com/l/us/yahoo/acct/info/sqachange.html

Comment Roger | September 20th, 2008 at 1:48 pm

Yes, DA hit the nail on the head. It’s about the flawed recovery procedure. If you are going to use question/answer, why not allow the user to choose their own question and answer?

Or, users should have the choice of recovering only by phone or text message. That way, they would have to lose their phone to have their password changed.

Comment dan stevens | September 20th, 2008 at 3:47 pm

Strengthening password has nothing to do with how Palin’s account was breached. The hacker used the reset password function. There’s a guy on finance message board for YHOO that said that Yahoo needs to block proxies (which is what the hacker used to remain anonymous) and strengthen the authentication processes similarly to what banks do. He described a method where machine fingerprinting is done behind the scenes by the site’s owner and if no match, then there’s a challenge issued before allowing password to be reset. Or, if an IP address from blacklisted sites are being used to access any account, they are rejected. This makes much sense. Who knew that these free email accounts could be breached so easily. My bank uses challenge questions that are so difficult that sometimes I can hardly remember them and have to call and speak with somebody live. I think Yahoo needs to plug this hole.

Comment Jeff Atkinson | September 21st, 2008 at 7:01 am

It’s clear from Yahoo’s response that the V.P. of mail doesn’t comprehend the problem or solution. Password strengthening would have made no difference, in the Palin situation.

What actually happened is a college student was able to do social engineering on a public persona by exploiting weaknesses in Yahoo’s ‘password reset’ feature.

First and foremost, no account maintenance should ever be allowed on anyone’s accounts from any proxy used to mask identity. Had the student used a foreign proxy, FBI/SS would have had a much more difficult time in obtaining logs that identified the perpetrator.

Secondly, Yahoo needs to strengthen the challenge questions. For public persona, name, address, and zip code are all easily found in public records. All this individual had to do was guess on the question of where Palin met her spouse. Again, this is publicly obtained information.

I work in security and have implemented systems for financial firms which are mandated by FFIEC regulations to use strong multi-factor authentication systems. If Yahoo is to be entrusted with personal information by customers, they should do the same.

There are good third party software products that provide features that would have prevented the Palin incident. RSA provides a product that passively examines machine information, stores it as profile data about that user, and uses it to challenge if somebody tries to access the account from a different computer/network. Challenge questions are presented, and if failure to answer challenge correctly, the account can be frozen until customer can be contacted to confirm identity.

In security terms, the “what you know” aspect of Yahoo’s security questions are too easy to be social engineered from public data, and require strengthening, at a bare minimum. Again, nobody should be allowed to do account maintenance like password reset, or changing any account data from any proxy. Proxy’s are the main tools used by cyber criminals to mask identity.

Banning proxy traffic from its site would also help to resolve problems Yahoo has had with click fraud. spam rings, and “pay to post rings” operating on their sites.

Comment Slim | September 21st, 2008 at 8:19 am

It’s apparent that Yahoo’s V.P. that resonded about the problem doesn’t have a clear understanding of what actually happed to Palin’s mail account.

Lengthening or encrypting the password would not have prevented the social engineering that occurred.

A kid without any computer hacking skills was able to access Palin’s account simply because Yahoo’s security questions are too easy to guess. Anyone can Google Palin and determine her zip code or where she met her husband.

These questions need to be made less obvious.

Comment Chris | September 21st, 2008 at 11:35 am

Mr. Kremer seems confused about the social engineering that allowed Ms. Palin’s Yahoo account to be breached after a password reset from an anonymous person using a proxy. How would lengthening her password have prevented the social engineering that transpired? Wouldn’t it make more sense to not allow proxies to be used?

I’m told by security pros that the process for resetting the password on Yahoo is weak at authenticating the party is the true owner of the account. They are recommending that Yahoo implement multi-factor authentication and allow the customer to choose their own security questions.

We had an interesting thread discussion of the topic over on Yahoo finance, but our thread was deleted by Yahoo for some reason. Why is Yahoo censoring discussion of this topic?

Comment becauseyouspam | September 21st, 2008 at 7:50 pm

dan stevens, machine fingerprinting should be completely out of the question, blocking proxies too. Reasons are simple:
First you can get e-mail everywhere, free or very cheap. I don’t think there is anyone who’d use an email service who’s fingerprinting their hard and software (on top of the data mining they already do).
Secondly you’d eliminate mobile access with that kind of attitude. Now why do you think do so many people use webmail in the first place? Right, it’s the remote access they are looking for.

And talking about security: NO ONE should use webmail providers like yahoo, google, microsoft etc. if it’s not for mobile access!

However, the password recovery feature implemented for yahoo accounts is indeed a security issue in itself. It needs fixing and it should not rely on any social factors like age, birthdates, schools etc. Those are mostly accessible today by (ab)using social network sites.

Lastly I can only recommend to always use fake information based on something that can be remembered easily. Never enter your real birthdate (who needs to know that anyways? If children want to access 18+ content they are smart enough to fake it), always enter fake answers to security questions etc.

Comment Jeff Atkinson | September 22nd, 2008 at 4:56 am

Becauseyouspam, it sounds like you don’t understand fully how strong multi-factor authentication system’s work. They operate passively in the background without the user knowing about them, very similarly to how Yahoo collects web surfing data about their customers using web beacons, cookies, behavioral marketing software, cross-site scripting from third parties, and other tools that gather data about the customer.

The authentication software runs in background and gathers information about the user’s profile. Some users always login from a particular geo-location or computer/network and would only have one entry in their profile. Other users might travel or use public computers, login from varied geo-locations or computers/networks, and that user’s profile would reflect what’s called a “roaming” profile.

The same applies for mobile users. For a “roamer”, the profile for that user would show that they travel and often use varied computer/networks. Rules can be tailored to allow challenges at varied levels so as to not be incovenient to the user. Obviously, banks and financial institutions would require tougher challenges than do free email services. However, with Yahoo entering the payment field, they should be taking the same precautions with user accounts as financial institutions must to comply with FFIEC rules for multi-factor authentication. If they want to enter that game, they have to increase their level of protections on customer accounts and data.

The strong multi-factor authentication should provide security for those concerned with data breaches, phishing, trojans and worms that collect login credentials to empty bank accounts, or in Sarah Palin’s instance, violated the privacy of her account due to weak security questions. Again, there’s nothing that prevents mobile access or access from roaming locations.

Comment Kate | July 22nd, 2009 at 7:15 pm

drop by, nice blog.

Post a Comment:

Notes: Please note that Yahoo! may, in our sole discretion, reject comments for any reason we deem appropriate. Links of value to readers are welcome, but please use them sparingly - wield spam and you're banished forever.

This is a moderated site and comments will appear if and when they are approved. We will review the queue several times daily, so please don't resubmit if your comment doesn't appear immediately.

Search:

Close This Box

Enter your email address:

Recent Posts:

Celebrating Safer Internet Day
February 8, 2010

Yahoo! Welcomes the Yahoo! Cycling Team to HQ, Rider Copeland Notches 1st Win!
February 8, 2010

Key Scientific Challenges Blog Series: Privacy & Security
February 8, 2010

Yahoo! Launches New Mobile Blog
February 5, 2010

Key Scientific Challenges Blog Series: Green Computing
February 1, 2010

Greatest Hits

The stuff you dug the most

Getting our house in order
February 26, 2009

Backstage at our homepage
November 25, 2008

And now we dance
August 4, 2008

There’s no winning the Yahoo! lottery
July 8, 2007

Yahoo! Cycling TeamCarol and KaraYahoo! Kimo Wretch Fun Party (Taiwan)Yahoo! Kimo Wretch Fun Party (Taiwan)Yahoo! Kimo Fun Party (Wretch in Taiwan)Yahoo! Kimo Wretch Fun Party

View Yahoo! on Flickr

Categories:

Archives:

  • Other Yahoo! Blogs:

    • Recent Readers: Provided by MyBlogLog

    About Yodel Anecdotal

    A look inside the big purple house of Yahoo!, where we'll provide insights into our company, our people, our culture, and the things we think about in the shower. Learn more.

    Write to Us

    Have a great story to tell about how you've used Yahoo!? Or have a story you'd like us to tell? Drop us a line.

    Comment Policy

    Give us your $.02. We encourage your comments, quibbles, questions, and suggestions. But please mind your manners. You know the drill... stay on topic, be respectful, and avoid spam, profanity, or anything that violates our Terms of Service.
    Learn more about our comment policy.

    Shameless Self-Promotion

    The Latest News From Yahoo!
    Company Info
    Become a Yahoo
    Yahoo! For Good
    All Yahoo! Services