Better advice on what to do about the huge Yahoo data leak
A warning message on Yahoo
Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That's good advice, and below you'll find better advice from security firm Sophos.
But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged "change your password" links that actually lead to hacker-controlled sites.
Now, onto the better advice:
Change your Yahoo password immediately.
Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
Include upper and lower case letters, numbers and symbols to make passwords harder to crack - refer to the Sophos Password Quick Tips guide for creating stronger passwords.
Don’t trust password strength meters - these are unreliable and inaccurate.
In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.
I disagree about using a new password for every site. I mean, it's a lovely idea, but it's just not realistic. Instead, I'm an advocate of having password families. One simple password for throwaway accounts you don't care about, like newsletters; one medium-hard password for sites that require a registration, but don't involve money; and then one really strong password for financial accounts that you change on a regular basis.
For that tough password, use something clever, like the first letter of every word in a sentence. Like this: I Was Born on November 1 in North Dakota -- IWBoN1iND (I wasn't, by the way). Change a number to a symbol and you are in good shape, like IWBoN!iND.
Now, as for how often you should change your password -- I asked a bunch of experts that question not long ago and got some interesting answers.
Graham Cluley
Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)
I only change my password if I'm worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. :) I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.
Mikko Hypponen
Mikko Hypponen – Chief Research Officer, F-Secure (more about him)
Depends.
For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never. As always, it's about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.
James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)
The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.
There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.
Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly). Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.
Harri Hursti
Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)
This is not (an easy question) … because also changing the password too often can become a security risk
It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.
Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)
The answer, loosely, is this.
Change a password if any one of these is true:
1. You suspect (or know) it has been compromised. 2. You feel like changing it. 3. You have been re-using passwords and have decided to mend your ways.
We explain better in the podcast “busting password myths,” I think.
The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.