[18659] in bugtraq
Re: Yahoo! Instant Messenger
daemon@ATHENA.MIT.EDU (Josh Higham)
Wed Jan 17 12:05:40 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <01ed01c0801c$09cad020$3ceefcce@adhara.bigsky.net>
Date: Tue, 16 Jan 2001 17:25:47 -0700
Reply-To: Josh Higham <bugtraq@BIGSKY.NET>
From: Josh Higham <bugtraq@BIGSKY.NET>
X-To: Matthew Keller <kellermg@POTSDAM.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
From: Matthew Keller <kellermg@POTSDAM.EDU>
>"Michael S. Fischer" wrote:
>> The third statement of this paragraph is untrue -- Almost every
transaction
>> at Yahoo! involving money uses the Yahoo! wallet system, which uses a
>> separate password from the one used by YIM and the other "standard"
>> (non-financial) services.
>
> You're assuming that the person who holds both a YIM account and a
>Wallet account uses a different password. I'd bet willing to wager that
>near five-9's of the YIM/wallet users use the same account name and
>password, thus making any disclosure of their password a problem.
That's the first thing I looked at. Yahoo doesn't allow the passwords to be
the same (plus some other restrictions) -- I didn't actually _check_ this,
just went to the form at wallet.yahoo.com where it asks for your personal
info, and that was listed as a restriction. However, I will agree that most
users will simply tack on an extra character, or something similar, so this
does still present a weakness.
It's pretty cool that Yahoo takes this stance on passwords, I think that
possibly searching for substrings also might be a good idea (put a big red
warning up if a 3+ character sequence matches their 'insecure' password),
but the fact remains that users will be annoyed, and they will always find a
way to choose the least secure password possible.
Josh
