Clear security failings in Yahoo! password breach

Powered by SC Magazine
 

Leaving passwords in readable text is negligent.

The dumping of nearly half a million Yahoo! Voice clear text credentials paints a bleak picture of password security.

If the dump is legitimate -- and there's a chance the anti-security hackers posted old or cobbled together records -- it's a bad look for Yahoo!

According to some of the security folk now pouring over the records, the hackers from d33ds.co used run-of-the-mill SQL Injection to pinch the credentials from a smaller server.

That's enough to make many shrug their shoulders given injection is a mainstay of OWASP's Top 10.

But few companies could be forgiven for storing so many records in such an exposed format as clear text.

Encryption technologies are standard security fare, and by now, all passwords entrusted to an organisation worth its salt should be, well, salted.

An organisation accepts a lot of responsibility when it asks for users to signup. Not least because password reuse is common, and will remain so for a long time.

Users will also sign up using corporate email domains that may be sensitive, placing their organisations at a hightened risk.

Just look at those in the Yahoo! dump: There were 1870 *.edu domains, 93 *.gov and 81 pertaining to*.mil.

Local victims include a police prosecutor, a state treasury bureaucrat, an ambo and a decent representation of members from Australia's education system.

All are potential candy for social engineers.

Hacktivists have long demonstrated that its time for security benchmarks to be lifted. Anyone can be breached, but with decent encryption, everyone can minimise the impact.

Copyright © SC Magazine, Australia


Clear security failings in Yahoo! password breach
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1074

Vote