Yahoo Voice Hack nets 450k passwords

A hacking crew D33D posted the results file of a Yahoo hack containing 450 thousand email addresses and passwords.   The hack is believed to be a SQL injection attack performed on a Yahoo Voices server.   The hackers claim this is but one of many security flaws in Yahoo’s services.

Yahoo reports that this is an old file and less than 5% of the passwords are still valid.   Why would old authentication files be sitting on the Internet.   Yahoo must have an issue removing servers from the network when no longer needed.   I do find it hard to believe 95% of people changed their password.   I bet they just don’t use Yahoo Voices anymore might find that username and password valid elsewhere.

A number of articles and blog posts say “the most alarming part is the passwords were stored unencrypted.”   Not to be pedantic, but that is a bit of a misnomer.   Passwords should be protected by cryptographic hashes.   A hash is a one way function.  The password is rendered into a string of a set length.   Authentication occurs by comparing the hash of the supplied password to the stored hash.   If the hash is stolen, identifying the original password can only occur through guessing.

Encryption on the other hand is designed to be reversed.   With symmetric encryption a key is used to encrypt and decrypt the data.   The application needs to know the encryption key to run.   The real original password is known.   It’s a bad idea to encrypt passwords instead of hashing them.

I could be wrong, but isn’t it possible the hacker used SQL injection and asked the database for the password, and the database dutifully then served it up.   So the password could have been encrypted but still accessible.   So the charge of storing passwords in plain text could be wrong.    Many websites do store your passwords in plain text.   If you’ve ever signed up for an account and they mail you the password you just set on the account, it is stored in plain text.   If you’ve ever submitted a lost password request and they mail you the password, it is stored in clear text.

The website should not know your password.   But when writing, particularly for technical audiences, it is not correct to say the password should be encrypted.   It should be hashed.   And it shouldn’t be hashed with SHA1 or MD5.   A hash designed for securely storing passwords, like bcrypt, should be used.  SHA1 is designed for file encryption.   For performance it needs to return an answer quickly.   You want to slow down people bruteforce guessing your stolen password hashes.   So either use a tool for that purpose or make them SHA1 many (1000) times.