Bugtraq mailing list archives
Re: Yahoo! Instant Messenger
From: Josh Higham <bugtraq () BIGSKY NET>
Date: Tue, 16 Jan 2001 17:25:47 -0700
From: Matthew Keller <kellermg () POTSDAM EDU>
"Michael S. Fischer" wrote:The third statement of this paragraph is untrue -- Almost every
transaction
at Yahoo! involving money uses the Yahoo! wallet system, which uses a separate password from the one used by YIM and the other "standard" (non-financial) services.You're assuming that the person who holds both a YIM account and a Wallet account uses a different password. I'd bet willing to wager that near five-9's of the YIM/wallet users use the same account name and password, thus making any disclosure of their password a problem.
That's the first thing I looked at. Yahoo doesn't allow the passwords to be the same (plus some other restrictions) -- I didn't actually _check_ this, just went to the form at wallet.yahoo.com where it asks for your personal info, and that was listed as a restriction. However, I will agree that most users will simply tack on an extra character, or something similar, so this does still present a weakness. It's pretty cool that Yahoo takes this stance on passwords, I think that possibly searching for substrings also might be a good idea (put a big red warning up if a 3+ character sequence matches their 'insecure' password), but the fact remains that users will be annoyed, and they will always find a way to choose the least secure password possible. Josh
Current thread:
- Yahoo! Instant Messenger Shaun O'Callaghan (Jan 15)
- Re: Yahoo! Instant Messenger Michael S. Fischer (Jan 16)
- Re: Yahoo! Instant Messenger Matthew Keller (Jan 16)
- Re: Yahoo! Instant Messenger Bill Fumerola (Jan 17)
- Re: Yahoo! Instant Messenger Matthew Keller (Jan 16)
- <Possible follow-ups>
- Re: Yahoo! Instant Messenger Josh Higham (Jan 17)
- Re: Yahoo! Instant Messenger Michael S. Fischer (Jan 16)