Judge Rules That Yahoo Data Breach Victims Have Right to Sue Company

[SteveW928]

I can't remember the last time I've needed to answer security questions for that unless I was trying to recover an account without an email, except maybe with online banking.

Someone might be 'recovering' your account right now... And, if you answered the questions honestly, it might be your bank account. Nice, huh? (The point is that 'security questions' pretty much undo any security they might have put in place. They are essentially a low-tech back-door.)

Also, you're proposing everyone use a separate password for every site, so now they have to keep track of all those passwords somehow. If they put them in some password manager, they're back to the issue of trusting all their credentials in one place. And now that's increasing the chance of non-tech-savvy users doing something like keeping them in an unencrypted text file.

It's just not an issue with a password manager, in fact it keeps things more secure and is so much easier. That said, yes, you have to pick a good one like PasswordWallet by Selznick or maybe 1Password (non-cloud version).

I get what you're saying about non-tech-savvy... but if they don't get tech-savvy enough to use a password manager and some basic common sense, they probably shouldn't be using tech in the first place. If you think they are in trouble now... wait a few years.

 

[fairuz]

Someone might be 'recovering' your account right now... And, if you answered the questions honestly, it might be your bank account. Nice, huh? (The point is that 'security questions' pretty much undo any security they might have put in place. They are essentially a low-tech back-door.)

Yes, it's annoying and totally counterintuitive that I have to put "to48ry9iofjdsf" as my dog's name.

It's just not an issue with a password manager, in fact it keeps things more secure and is so much easier. That said, yes, you have to pick a good one like PasswordWallet by Selznick or maybe 1Password (non-cloud version).

I get what you're saying about non-tech-savvy... but if they don't get tech-savvy enough to use a password manager and some basic common sense, they probably shouldn't be using tech in the first place. If you think they are in trouble now... wait a few years.

The thing is, this is most people in the world, so it's the other way around: If they can't make security usable by the average user, they shouldn't be making tech in the first place. Also, even for experts, it's a waste of time to have to research how to use front-end services.

 

[960design]

Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.

Sickens me when I consult other companies data management and see that their databases are plain text, except for the password. Truly feel sick to my stomach.

At a minimum, encrypt everything except the UUID or suffer the consequences.
You will have a data breach.
[doublepost=1505758692][/doublepost]

Someone might be 'recovering' your account right now... And, if you answered the questions honestly, it might be your bank account. Nice, huh? (The point is that 'security questions' pretty much undo any security they might have put in place. They are essentially a low-tech back-door.)

Completely agree. Argued wholeheartedly against it for a company and yet they went ahead with security questions.
1) What is your home town?
Let me guess, how about here in metropolis.
2) What high school did you graduate from?
Ummm, only two or three nearby, pretty much anyone can guess these and bypass your 'security'.

 

[SteveW928]

The thing is, this is most people in the world, so it's the other way around: If they can't make security usable by the average user, they shouldn't be making tech in the first place. Also, even for experts, it's a waste of time to have to research how to use front-end services.

I sort of agree from a UX standpoint, though I'm not sure what the alternative is, and it can only be made so simple, at some point. (Maybe an education campaign on password managers, and strong recommendation of a few good ones... that's what I've been trying to do. Plus, there are other benefits, as I keep other useful info in that that it's handy to have with me.)

But, a lot of these insecure systems are designed as such as lazy ways to 'optimize' the workload for the companies. Getting your account unlocked, if you've lost your password, etc. should take a bit of work to resolve, not a simple 'security question.'

Sickens me when I consult other companies data management and see that their databases are plain text, except for the password. Truly feel sick to my stomach.

And, then there's Equifax who was even using 'admin' and 'admin' defaults on some of their systems.

 

[fairuz]

Sickens me when I consult other companies data management and see that their databases are plain text, except for the password. Truly feel sick to my stomach.

At a minimum, encrypt everything except the UUID or suffer the consequences.
You will have a data breach.

There's a lot of recent work on fully encrypted databases, even a PostgreSQL modification called CryptDB*. Hopefully those people will start at least using that. Better yet, hand them a SaaS database that's encrypted on Amazon/whoever's end.

* still not 100% safe if you care about attackers knowing the ordering of your data
[doublepost=1505836571][/doublepost]

Completely agree. Argued wholeheartedly against it for a company and yet they went ahead with security questions.
1) What is your home town?
Let me guess, how about here in metropolis.
2) What high school did you graduate from?
Ummm, only two or three nearby, pretty much anyone can guess these and bypass your 'security'.

Sarah Palin's Yahoo! account was compromised this way in 2008 by a regular guy, no hacking necessary. It sucks, worst form of security ever.

Even iCloud used to allow recovery purely with security questions! And they claimed our data was end-to-end encrypted, so I wonder how I didn't lose my data when I did that. Like, what, did my security questions also form a private key for a backup of my data?

 

[960design]

* still not 100% safe if you care about attackers knowing the ordering of your data

I keep the UUID so I can decrypt databases I create if needed; total loss recovery for example. The UUIDs are non sequential, order cannot be gleaned.

Still a huge time killer, just to decrypt a single row, if source key was lost. Sure, bad guys could do the same to generate the source key, with enough time. Nothing is 100% defensible, the goal is the make the door stronger to allow us the time to hear the knocking and mitigate an incursion with nonsensical data, ect.