Yahoo Insiders Believe Hackers Could Have Stolen Over 1 Billion Accounts

An anonymous reader quotes a report from Business Insider: The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices. The former Yahoo insider says the architecture of Yahoo's back-end systems is organized in such a way that the type of breach that was reported would have exposed a much larger group of user account information. To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion. According to this executive, all of Yahoo's products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access. That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn't been deleted. In late 2013, Yahoo CEO Marissa Mayer said the company had 800 million monthly active users globally. It currently has more than 1 billion.

Two years it took to count that high

[Trax3001BBS]

Must of used 1111/

British billion?

[goombah99]

Is that a british Billion or a USA billion?

Perhaps we can forever rid ourselves of the english language uncertainty over the definition of a billion by renaming the US billion to a "Yahoo".

Re:British billion?

[plover]

Or perhaps Obillion, or Clitillion?

A "clitillion"? Men would never be able to figure it out.

Re:

[Anonymous Coward]

Is that a british Billion or a USA billion?

The so-called "British Billion" you refer to (i.e. 10^12, or a "long" billion) is all but obsolete in the United Kingdom. Nowadays the "short" version used in the US (10^9) is the accepted standard definition of "billion" here too.

Re:

[kencurry]

Those British with their silly walks and special units ...

Re:

[infolation]

Try buying carpets in the UK. Measured width in yards, length in meters.

Re:

[Trax3001BBS]

Is that a british Billion or a USA billion?

Perhaps we can forever rid ourselves of the english language uncertainty over the definition of a billion by renaming the US billion to a "Yahoo".

My best attempt at the 1111 then a slash across the 4 for 5. then again for 10 and on till 500 million.

I'm attempting to access yahoo.com at the moment having a bit of a problem with my password :)

Re:

[Trax3001BBS]

>

I'm attempting to access yahoo.com at the moment having a bit of a problem with my password :)

Took some time and lots of sms traffic but got in, now I'm just going to delete the account.

All of it

[Anonymous Coward]

Just say they stole all the accounts. It's also simpler to say: "Everyone who's had a yahoo account (and still cares about it) change your passwords now."

Re:

[gweihir]

Naaa, that may drive customers away. Oh, wait....

Re:

[infolation]

I think the whole 'password hack' is a Yahoo ploy to make it sound like they have a billion users.

Re:

[rtb61]

So what is the value of the information appropriated, where they stolen, or was there an executive level, golden parachute scheme, what with M&M her M&Ms on the way out, how much could that data access have been sold for, how many millions.

Unbelievable

[MightyDrunken]

Unbelievable!

700 million to 1 billion active users accessing Yahoo products every month

Oh and the hacking thing.

Re:

[kencurry]

Unbelievable!

700 million to 1 billion active users accessing Yahoo products every month

Oh and the hacking thing.

okay that was funny - mods are asleep at the wheel today.

Re:

[plover]

I use it daily.

Ironically, I've only ever used it for their OAuth service so I could log into other smaller websites, without having to worry about their password storage security. I sure called that one well...

Re:

[Trax3001BBS]

Mine was pretty much used a decade ago as an account to sign up for other things that required an email address. Hadn't looked at it in at least 5 years, and deleted it only a few months ago because I thought it probably wasn't good to have this unused account hanging out there.

1 billion active Yahoo accounts? Don't think so.

No, mine is gone now -well will be in 91 days.

Another feather in Ms. Mayer's cap

[OneHundredAndTen]

Probably one of the worst CEOs ever, down there with Stephen Elop.

Re:

[gweihir]

Well, Charley Fiorina did pretty badly as well, but I guess these alpha-women must outdo each other. Maybe Meg Whitman can get back into the race again if she manages to kill IBM...

While I know a few quite competent female engineers and scientists, these female CEOs seem to be intent to be much worse than the average male CEO.

Re:

[BarbaraHudson]

They didn't make any bones about it - their first step was to fire a ton of engineers. The "New Yahoo" was supposed to coat along on existing software, acquisitions, and inertia so that it would be more profitable in the short term, making it look more profitable. To bad all software has bug, the acquisitions sucked, and inertia only takes you so far against resistance.

Re:

[gweihir]

So you think she planned to kill the company in the long run to make herself look good in the short run? Makes sense to me.

Re:

[BarbaraHudson]

No, she planned to make the company look good in the short run to foist it off on someone else and collect an even bigger golden parachute. That is the trend nowadays. Just look at how a company's stock goes up when someone announces a mass lay-off. They know that in the short term, there will be more profits, and if they're lucky, they can unload the stock before it all turns to crap.

Re:

[radarskiy]

She was hired by the board of directors to get the shareholders a big payday. She was willing to do it by making the company a going concern in the long term, but the shareholders decided they wanted to cash out quickly.

She added value to the company at a rate of 10 to 20 million USD per day that she's been employed, at a 100:1 return on her compensation. Form the perspective of the people that hired her, that's a big damned success.

Re:

[gweihir]

Well, yes. Of course, if many people do that, everything goes to crap in the end, but that seems to be the current trend.

Re:

[TroII]

So you think she planned to kill the company in the long run to make herself look good in the short run?

That's precisely what CEOs of public companies are hired to do now. Pump the share price as high as possible as quickly as possible, damn the consequences, and then bail with a golden parachute.

Thank God I don't share passwords between sites

[Anonymous Coward]

After having my gmail account hijacked a few years ago, I began using a password generator/storage program on my desktop and changed passwords to unique passords for everything. It's damn hard to remember passwords such as '67zu2tLqWdfaXe6hV6m5,' but nobody is going to stumble upon it.

Amazing Incompetence

[Shane_Optima]

So, here is the way to fix this sort of thing using very old, very simple, freely-available tech:

First, all passwords are hashed with salt on the client. If you want to protect a bad (brute force-able) password, you could use secret salt (i.e. a keyfile) hashing layer separately but for maximum portability known salt (like the base domain, "yahoo.com") should be used. This will protect good passwords from being brute-forced without something on the client being compromised, and offers strong protection for password reuse (regardless of whether or not reuse with different services is ill-advised, it will always happen.)

Ideally, this needs to happen via a special API call to the browser itself and not by scripting on the website. The browser is already aware of password fields (this is how it offers to remember logins for you) and thus can in principle alert you whenever an insecure passfield field (or whenever 'no legitimate password field') is present. This would prevent all but the most careless users from having a spoofed website discover their plaintext passwords. I would much prefer that the browser itself handle this hashing but even a javascript implementation of client-side hashing would be a huge improvement over the status quo, primarily because the presence of client-side hashing can be easily detected and audited whilst we have to take them at their word if they claim to be doing this all securely on the backend. (And also because a client-side hash reduces the attack surface such that a database breach or HTTPS attack alone is insufficent--with JS client-side hashing, only a successful website spoof that is undetected by the browser would reveal the plaintext password.)

Next, on the server side, the already client-hashed password is hashed a second time prior to being stored in the database. What does this accomplish? I'm glad you asked! What this means is that a simple read-only database breach does not allow an attacker to log into anyone's account. This is because if they try to use the value stored in the database (post server-hash), it will be hashed a second time prior to being compared to the value in the database, and this second hashing will result in a mismatch. Thus, a successful attack would need to either intercept the pre-server hash value in memory (a much more difficult feat, and one that will only reveal users that log in while the attack is in progress), or they need write permission to the database to overwrite the password, which should sound the alarm in two ways: one by (hopefully) causing database integrity checks to fail, and another by locking users out of their accounts.

The upside of all of this: Good passwords remain safe to reuse on other websites (so long as everyone uses these standards. Websites and apps refusing to use these standards should be aggressively warned against.) Even with bad passwords, it's much harder for attackers to gain access to accounts, and the number of accounts compromised should be reduced. And the CPU load of doing this hashing should be minimal compared with the overhead that HTTPS already imposes.

Now tell me, can anyone explain why this isn't happening yet? This sort of thing would allow us to stop insisting that the most important thing users need to do is memorize a different quality password for every single account they have (impossible for most people.) The elbow grease to do this is minimal and with enough of an outcry, we could easily shame these big name companies into adopting these standards.

(And please, for all you anonymous cowards who want to tell me that hashing with known salt values are useless... go educate yourself on the properties of cryptographically-secure hash algorithms. I don't care about pre-computed rainbow tables. This isn't about protecting weak passwords from brute force attacks. Once offline attacks become possible--which happens whenever a hashed value becomes known, provided the hashing algorithm and salt are both k

Re:

[Shane_Optima]

To clarify: this offers only weak (time-delay) protection for bad passwords. Bad passwords (ones that can be brute forced with offline analysis) would still need to be updated as soon as possible if a database breach happens whilst using this system, but it should still buy some time for people to do this. The only strong protections that can be offered for bad passwords are online delays (which immediately becomes useless once the database is compromised by an attacker) or secondary verification steps (sec

Re:

[Shane_Optima]

Second clarification: A collision attack on the hashing algorithm does present a problem under this scheme, but it is not a problem that results in the plaintext password from being known. The moment a feasible collision attack with known salt becomes known, the server can safeguard themselves by simply change their hashing algorithm and urges all users to log in as soon as possible, but note two things here:

1. The users do not need to change their password (particularly if it's a strong password, or i

Re:

[Shane_Optima]

The client also needs updating if the client's hashing algorithm is vulnerable to collision attacks, but assuming we're talking about a widely-adopted standard that uses a single service (preferably built into the browser itself), this would be a one time update that (assuming automatic security updates are enabled) wouldn't require special action on the part of the user.

Re:Amazing Incompetence

[gweihir]

Please do not listen to this person. He is really, really clueless.

Re:

[Shane_Optima]

You are ignorant of simple cryptographic truths and it is very. very sad (because you are definitely not the only one.)

Go read up on cryptographically secure hashing and explain to me how my system would fail to prevent the attacks I describe.

Re:

[gweihir]

You wish. There are no "cryptographic truths" when you implement anything in practice and, implemented in practice, your "solution" makes things worse. That is one of the reasons why basically nobody competent uses your broken scheme.

But I am not surprised. Amateurs like you think that if you just encrypt right and authenticate right, you are secure. Nothing could be farther from the truth. Crypto is one small building stone in the whole. And no, I am not going to fix your broken idea, I have about 30 year

Re:

[Shane_Optima]

I don't care about terminology quibbles. I've already repeatedly stated elsewhere that I'm not a professional. If you do know anything at all about cryptography, I am assuming that you understood what I mean. Hashing functions can more either more or less secure when it comes to collisions or leaking information about the information being hashed. In my post, I was referring only to the most secure hash functions available.

The fact is that passwords are being routinely being stored in plaintext and thi

Re:

[gweihir]

Get at the very least 10 year professional practical experience with crypto, then come again and complete your theoretical knowledge, because that is as well lacking. You are so clueless it is painful. Application of cryptography is one of the hardest fields in Computer Science, and amateurs cannot contribute because they lack the basic understanding required. Sure, this sounds arrogant, but there is no helping that because it happens to be true. Would you suggest new ways of doing brain-surgery without bei

Re:

[Shane_Optima]

You've yet to give a single concrete criticism of my ideas except that I said "cryptographically secure hash" instead of "iterated hash." You know why I said that? Because I don't KNOW what the most secure hashing method is, the precise details of its operation, or what it is officially named! It's your job to know that shit. You. The alleged professional.

This is just pitiful. A 5 digit ID and an alleged professional and the best you can do is a hand-waving appeal to your alleged professionalism. You c

Re:

[gweihir]

Fascinating. The only thing you are demonstrating here is a very much over-sized ego. And incidentally, you are not the least bit unique. I have seen a lot of broken crypto designs over the years, yours is just one more.

Re:

[Shane_Optima]

You've no idea. This isn't about ego at all; I simply enjoy watching people make asses of themselves. Feel free to call me a sadist, if that makes you feel any better.

And it turns out, I can do your arguing for you! I found another crypto "expert" that I'm IMing at the moment and just like you he threw a hissy fit at first, but after 45 minutes he was forced to concede every single one of my core claims, while still claiming that it would never work in practice because they would never do it, which isn't

Re:

[Shane_Optima]

The fact that you think this about ego really says it all. You think that I think that this is some brilliant, complex, end-all and be-all solution. I explicitly said it wasn't. It isn't a credit to my intellect, not in the slightest. It's a 'credit' to yahoo's stupidity that they didn't do this. And it's a credit to yours that you've posted like what, perhaps ten pointlessly hand-waving posts of zero content, arguing that my ideas are broken because you have more than ten years of experience, that's why!

Re:

[Shane_Optima]

I never claimed it was novel. It just isn't being used and it should be.

If people want to pay me to search for prior art for every single post I make, I'd be happy to. The point isn't that I'm the first one to think of what is, at root, an extremely obvious idea once one-way hash functions were developed for cryptographic use. The point is that the vast majority of industry leaders are not properly using these functions, even though they would require very little overhead, no changes that the user would

Re:

[Shane_Optima]

People who've modded this up: Please post AC to explain to me why my system would not work. I look forward to clarifying and/or educating you about how hashing works.

Re:

[Shane_Optima]

I don't come to slashdot to suck up to people by pretending bad ideas aren't bad. Storing passphrasses as plaintext, as many sites are clearly doing, is an objectively horrible idea that my easy-to-implement solution fixes.

It may not be the optimum solution, but it is easy, cheap and effective for the purposes I've described. People who think that extreme politeness should come before correctness are a major scourge in this world.

Re:

[Shane_Optima]

And in fact, I'd argue that with any JS-based solution an average user couldn't either

But security bulletins could be posted. Companies could prevent people from visiting sites that refuse to use client-side hashing. Browsers could warn you with dire-sounding popups. Pressure could be brought to bear. As I've already described, it doesn't replace server-side hashing but if they are dumbasses about it then it at least mitigates some of the damage done by a lack of server-side hashing.

It's only "not easy" in the sense that any change requires work. It's not something that requires much m

Re:

[Shane_Optima]

Alternatively, here is a message to other mods: an absence of such explanation should be indicative of the fact that these naysayers have, in fact, no idea what they are talking about. And so you really should mod me up as informative, not because I need the karma (I don't), but because we really need to raise awareness that these sorts of security breaches could be mitigated and minimized with a trivial amount of effort.

These extra protections are primarily for those users who have strong passphrases t

Re:

[gweihir]

No. They are just fed up with any moron that thinks they can do better than the actual experts. And while there are not many actual experts, there is an endless supply of morons. Hence this argument cannot hold water at all.

Re:

[Shane_Optima]

A thousand dollars if you can back up your bullshit with sound rebuttals. I'm serious.

Typos and misparsing of sentences from my original very quickly written post do not count--I've already given you multiple clarifications of what I'm intending here and what the benefits would and would not include.

Re:

[gweihir]

$1000 buys you about 4 hours of my time. I do not take jobs below 5 days. And I do not take "convince a moron or do not get paid" jobs either.

Sure, I can tell that you are pretty smart, but what makes you a moron is that you think you are much smarter than you actually are. And that makes you fail at recognizing the actual difficulty-levels of things. To use crypto right you have to be pretty smart _and_ you need a lot of experience. One decade is on the low side and that is after at least a full CS master

Re:

[Shane_Optima]

I don't have to be a car expert to know that you don't want to put your antifreeze-water mixture into the gas tank.

Provided the summary here is accurate (this was a database leak only and yet accounts that were offline had their login credentials compromised, with no comment about the strength of the passphrase mattering), this is a fuckup of the highest order here and yet you apparently haven't offered a word of technical criticism of it.

Thus, I think it's reasonable to conclude that you are a trol

Re:

[Shane_Optima]

Pretty sure you've given up at this stage, as you obviously don't have the knowledge or the chops to actually engage me in a debate. I was trained in an extremely technical field and I could and still can debate any point with which I was familiar with anyone, layman or not.

I don't have the time to give you a good picture of humanity's true nature but I will tell you this: appeals to authority usually mean almost nothing, and I've never underestmated the ability for people to engage in and promote incomp

Re:

[gweihir]

Keep telling that to yourself, eventually you may believe it. Fact of the matter is that it is a complete waste of my time engaging with you. The defects in your design are obvious to anybody with in-depth experience. They are not obvious to you. I cannot fill in your lack of experience.

Re:

[Shane_Optima]

Hey, it looks like all of your friends around here think I'm wrong because they seem to think that "hash" means a single default invocation of whatever CLI version of sha they have lying around, without any regard whatsoever to the size of input and output.

Is that what you thought? Is your brain so ossified that you cannot conceive of the fact that, in the presence of input maximums (which all websites have with the password fields), it is in fact entirely possible to construct a hash algorithm that doe

Re:

[Shane_Optima]

Or is this a jargon issue? Am I wrong because I didn't say "key derivation function" instead of "hash"? I really don't care. I'm not even going to look it up on wikipedia; I've no desire to learn about the intricacies of your silly little DSL; I don't need to in order to understand that the incompetence of your industry is screwing over millions of people. You know my solution is entirely effective, because it does not decrease security (properly implemented) and unlike server-side stuff is it actually

Re:

[Stan92057]

well if he is clueless then prove it. saying hes clueless and not saying why is trollish IMO.

Re:

[Shane_Optima]

Yup. I just offered $1000 to the first person to prove me wrong on my main points here (with some caveats.) I mean it, too.

I'm not a security professional or even an IT professional; I just understand things. That unfortunately puts me at a disadvantage in these sorts of conversations. The world doesn't need more false modesty. I may not have used the precisely correct or most common terminology, or laid it out in exacting detail with every single sentence double-checked (because this was a 10 minute sla

Re:

[Shane_Optima]

Update: Half a dozen posts later and the best he can come up with is continually criticizing me for not having a CS degree and ten years of experience. A undisguised appeal to his alleged authority and insults... that is literally all he has.

Oh yes, there's that and he objected to me saying "cryptographically secure hashing" and in his very next post he disparaged me for not mentioning, by name, "iterated hashing" because according to him, non-iterated hashing is insecure. I'll let you connect the dots

Re:

[Stan92057]

Well i only seen this if hes following you just ignore or say put up or shut up not much else ya can do. I would have modded him flame bait or troll if i had mod points at the time i didn't so i commented. Too many trolls abuse this site anymore its a damn shame.

Re:

[Shane_Optima]

Nothing? No response at all? How's this then: $1000 to the first one to show how my primary claims here are wrong.

Before attempting this, please be sure to read all of my clarifications (particularly on the benefits this provides to weak vs. strong passphrases). No reward will be given for typos or any incorrect parsing of individual sentences.

Re:

[gweihir]

Hahahaha, funny. Offering a pittance (this will not even buy one of my days as an expert) and no assurance you will pay because, surprise!, you are the judge of what qualifies as proof and you already have demonstrated pretty bad judgment.

Re:

[Shane_Optima]

I'll put it to a slashdot vote. If they vote that you've rebutted the core of my argument (not quibbled over about individual sentences from a hastily written post that was never intended as a doctoral dissertation), you get the money.

Come on, you old-timer fraud. Put up or shut up. You're either too lazy to read what I've said in detail or you know I'm right and you're continuing on out of stubbornness.

Re:

[gweihir]

I just had a second look and realized you do not even seem to have heard about _iterated_ hashing, which is the standard for now > 40 years (UNIX-passwords started it, I think, and at that time they did not even have proper crypto-hashes). And that is already an outdated thing as it is considered not secure enough in an age where graphics-cards get ever more powerful. I am sure you have not heard of things like Argon2 (that fix iterated hashing) either.

So, seriously, how incompetent can you get? Talk abo

Re:

[Shane_Optima]

I proposed a fix for an existing problem. You said my fix was broken.

If you, the alleged professional, want to improve on my fix then I'm sure you could. That does not change the fact that my fix is in fact a fix that is objectively superior to the way these assholes are currently conducting things. And it doesn't change the fact that my fix is not actually broken, merely that it requires fleshing out.

And I never said it didn't. This was obviously a 5000 foot proof of concept thing that I literally bas

Re:

[Shane_Optima]

Also, as I stated in one of my early clarification posts, by "cryptographically secure hash" I was referring to the most secure hashing functions available regarding leakage or collisions. If the most secure hashing function is a form of iterated hashing than that's the one I was referring to.

This is like me criticizing someone for using a longhaired Chihuahua as an attack dog, and your response is that I'm a moron and my suggestion is "broken" because that's really a Pomeranian, not a Chihuahua. Congr

Re:

[Shane_Optima]

1. I explicitly said in multiple posts, including the original, that I did not care about protecting weak passwords. Protecting weak passwords is something that should be attempted, but requires something a lot more complicated than what I have outlined, which was implicitly and explicitly stated to NOT be a comprehensive. Any reduction in the number of accounts compromised is a win, because the effort to do this is so little.

2. I'm not sure if you're implying that your salted hash reduced entropy, but

Re:

[Shane_Optima]

No payment for fools who don't understand how to use hashes properly. In addition to the below objections, upon further consideration of your description of your experiment I've realized you've almost certainly hopelessly bungled your hash. You shouldn't have tons of collisions like that. A proper hashing algorithm will correctly utilize all of your input and you should produce (and save) output that significantly exceeds the size of the input.

This first occurred to me last night when I was debating ano

Re:

[Shane_Optima]

ecisively demonstrates your flawed understanding of the subject matter at hand

Blah blah blah. It merely proves I don't use your jargon, which is something I repeatedly admitted up front. I am fairly positive could design something utilizing SHA with zero collisions, given an aggregate storage space for output from the hashes that was significantly bigger than the maximum password size. This probably wouldn't be the most efficient way of doing things, and you probably have some other special word to refer to what I'm talking about ("key derivation function" ?), but I never claimed my

Re:

[Shane_Optima]

actually I suppose the kicker is avoiding information leakage and collisions at the same time, right? That may be slightly tricker. But the fact is I never said SHA, and even if the word "hash" is entirely inappropriate you and I both know that the properties I am describing are achievable. You probably even have a word for it; you're just having too much fun to come out and say it.

Re:

[Shane_Optima]

I need more peace and quiet than is available at the moment to be able to properly navigate through the literature for the bits I need. Conversing is usually easier than absorbing unless the literature is of exceptional quality. Is there any you care to recommend?

For the key, I'll get back to you on that tomorrow. I haven't used GPG in quite a while. These days, it's hard enough convincing people to even use OTR. I'm doing something decidedly less pleasant than network security at the moment and it wo

Re:

[Shane_Optima]

I disagree with the current state of discourse virtually everywhere, and on virtually every topic. Insularity of experts and alleged experts, in both technical and non-technical fields, is one of the most daunting challenges that modern civilization faces and (when I can find the time) it's something I intend to explore at length. Part of the issue is what I call "The Inverse Bike Shed Effect", although there are a lot of other factors involved here, many quite sordid.

One tragic consequence of all this

Re:

[Shane_Optima]

An ad hominem is not an 'attack'; it is an informal fallacy, and it is one I did not commit. You being a dick is a (tentative) conclusion, not a piece of supporting evidence used to reach some other conclusion.

And I'm probably unbearably arrogant. Not going to let that stop me. I find there is nothing LESS constructive in this world than slavish adherence to positive tones. Positive tones should follow positive content.

I'll get back to you with the key later tonight.

Re:

[Shane_Optima]

How about this: you tell me the word you know I'm referring to, and I'll go and replace "hash" with that word in every communication from now on.

A hash-like transform but without compression aspects. A "one way" transform that is very hard to reverse--toss a little RSA in here somewhere, I don't give a shit. The nuts and bolts of it wasn't the point; I implicitly and then later explicitly deferred that you people, the alleged experts too busy apologizing for gross incompetence to actually push for solut

Re:

[Shane_Optima]

Yes, because incompetent jackasses who refuse to provide any explanation whatsoever deserve +5 informative.

I've shot down every objection people have given, and I've convinced someone who has a CS Masters degree and experience with cryptography that my design (which was never asserted to be a comprehensive solution, just an easy and important improvement) is fundamentally sound and desirable.

Re:

[Shane_Optima]

Nice try, but you didn't invent serverside hashing. I was merely clarifying that this wasn't intended to replace server-side hashing. The role that server hashes have only partially overlaps with the role of client-side hashes.

You didn't point out a flaw in anything. I never said my scheme was comprehensive or meant to take the place of anything.

Even if it wasn't, its just a bad implementation of a problem solved in a much more elegant and secure manner elsewhere e.g. federated authentication.

Don't give a shit. Implement that, then. Some other guy said that Kerberos fixed the problems I was talking about--use that, then. I never claimed this to be mor

Re:

[Shane_Optima]

"Every thread" == two different threads, apparently.

The whole argument is just fundamentally flawed anyway. All it boils down to "I'm lazy and want to reuse the same password. I don't trust you to protect me from my own lazyness server-side so do it... client-side!" like its going to be some magic bullet of accountability/auditability or something...

Everybody is lazy. Password reuse will happen regardless of training. Our computers are powerful enough to make what I'm saying trivial to do in principle, particularly in places where HTTPS is already used. I do not think the laziness of devs and admins should trump the laziness of users. As a general principle, I think that computers should remove as much of the burden from users as possible. I think that people who believe that users everywhere should

Re:

[Shane_Optima]

I haven't had time yet to digest it in detail but it is indeed interesting.

The one valid criticism of my ideas are that they don't go far enough; the instant I read 'challenge-response' in the article title I said to myself "oh, well, that's going to be even better." I don't claim to be the final word in these matters; I don't do this shit for a living. That doesn't change the fact that my recommendations are dirt-simple, low overhead, powerful and require nothing extra from the user (although they shoul

Re:

[Shane_Optima]

P.S. As I noted elsewhere, you've probably hopelessly bungled your hash. You shouldn't have tons of collisions like that. A proper hashing algorithm will correctly utilize all of your input and you should produce (and save) output that significantly exceeds the size of the input.

This first occurred to me last night when I was debating another alleged expert cryptographer, who was eventually forced to concede all of my claims--you guys have a very limited understanding of how hashing can be used, their

Re:

[Shane_Optima]

oops, please ignore the below reply. I meant it for another AC post.

Re:

[Shane_Optima]

A comprehensive clarification of where I stand and what I claim can be found here: https://slashdot.org/comments.... [slashdot.org]

I don't doubt that this is well-tread ground. I never claimed to be an expert. So, whatever existing product there may be accomplishes the same basic goals as my scheme--use that instead. My overarching point is that he status quo is not acceptable and that some form of client-side hashing (or pseudo-hashing) must be present to mitigate the potential incompetence of people running the ser [slashdot.org]

Re:

[Shane_Optima]

C&P:

1. I explicitly said in multiple posts, including the original, that I did not care about protecting weak passwords. Protecting weak passwords is something that should be attempted, but requires something a lot more complicated than what I have outlined, which was implicitly and explicitly stated to NOT be a comprehensive. Any reduction in the number of accounts compromised is a win, because the effort to do this is so little.

2. I'm not sure if you're implying that your salted hash reduced e

Re:

[Shane_Optima]

C&P: No payment for fools who don't understand how to use hashes properly.

In addition to the below objections, upon further consideration of your description of your experiment I've realized you've almost certainly hopelessly bungled your hash. You shouldn't have tons of collisions like that. A proper hashing algorithm will correctly utilize all of your input and you should produce (and save) output that significantly exceeds the size of the input.

This first occurred to me last night when I was d

Re:

[Shane_Optima]

You're misusing terminology

Repeatedly conceded. I'm not a professional cryptographer.

your proposal is not backwards compatible (Javascriptless clients)

That's fine--all sites that work properly without javascript are exempt. OK? That still leaves us with 90%+ of the web, which does require JS. Also, I further specified that I'd prefer to see this as a browser function akin to HTTPS.

less effort would be needed from the coder by just doing security properly in the first place.

Unfortunately, we've seen repeated proof that you people cannot be trusted to do it properly on your end. With client-side hashing, strong pressure can be brought to bear on people who aren't using it, companies can p

Re:

[Shane_Optima]

https://slashdot.org/comments.... [slashdot.org] *Cannot* be trusted.

Re:

[Shane_Optima]

When you hash the password on the client, especially (and quite dangerously) if you're using a known and/or easily guessable salt, the hash you transmit to the server simply becomes a markedly weaker authentication token

Demonstrably untrue and indicative of someone who doesn't understand the first thing about hashing algorithms. I'm not saying you can dump it into a single iteration of your command line version of SHA and automagically get something that works. It has to be intelligently constructed, properly utilize all input, and produce output that significantly exceeds the size of the input. If the password field has a maximum, let the hash output be twice that size. Are you still going to argue that "markedly weaken

Re:

[Shane_Optima]

Upon further consideration: A single random server-provided salt is more desirable for the client-side hash since it does prevent the use of rainbow tables; however, I'm not particularly impressed since it's redundant with the random-salt server hash and the salt can be easily obtained by any attacker. The only significant advantage here is it prevents rainbow tables from be used in the case that client side hashing is present but server doesn't do any hashing... so, if you entirely agree with my philosophy

Excuses: Incompetence or Greed?

[Bob_Who]

I don't believe a word of it. If it were true, they would lie and say something else. Their only reason for announcing this is to manipulate the public opinion and to cover their corporate asses and branding. The fact is, if they announce a billion stolen passwords then I guess we no longer can accuse Yahoo of selling them, or the rest of the data mine that goes with it. And Verizon can't be blamed either, they never had control of the treasure. The timing of this announcement, to a degree of truthine

Easy

[Ol Olsoc]

How many mail accounts does Yahoo have?

That's how many were compromised.

Small Claims?

[charlie merritt]

IANAL, so, any around? How about a million small claims? Think Crypto Wars here: FBI's Comey said that they were waiting till next year for an "adult conversation about encryption" after collecting data this year. Collecting data? How 'bout a data point like: Poor Security = Enormous Financial Consequences. Fast. Did Yahoo encrypt everything, every connection? Could encrypting everything have been part of a comprehensive security plan? *I* didn't have a Yahoo account ;-) but if I did I think I just m

Re:Fuvking mayer again.

[JustAnotherOldGuy]

Anyone else pissed off that she can make 100's of millions of dollars just by sucking the right billionaires dick ?

I'm not so much pissed as jealous. I'm a straight guy, but I swear, find me someone who'll pay me 100's of millions of dollars for sucking a cock and you can consider it a done deal.