Skip to main content

Yahoo Introduces On-Demand Passwords

One of the big annoyances about using the Internet is remembering all those darn passwords. Many people avoid this headache by using the same password on each site. And as we've preached in the past, that's nothing but bad news, as hackers can gain access to all of your accounts if only one password is used throughout them all. Creating different passwords is a pain, we know, but necessary.

Yahoo seems to agree that multiple passwords can be a burden. To remedy this annoyance, the company revealed a new service that provides passwords on-demand. That's right: for Yahoo, at least, users will not need to remember a password to gain access to their account.

To set this up, Yahoo account holders must sign into their Yahoo.com account, click their name at the top-right corner of the main page, select "Account Security" in the left bar, and click the "Get Started" link. After that, users will need to verify their mobile number by entering a verification code sent to their smartphone (it takes a few minutes).

So how is this different than two-step authentication, which is also offered by Yahoo? With the two-step process, users must provide a password and then another password that's sent to the user's phone. In the case of Yahoo's new service, the only password that needs to be entered is the one sent via text. Once you've set up the on-demand service, that password you initially used to log into Yahoo is no longer needed.

Once the Yahoo user switches on the "on-demand" password feature, they will see a button on the Yahoo login page that will read "Send my password." Click this button, and users will receive a five-character password via text.

Obviously, this system is not as secure as two-step authentication because you're getting rid of one out of two passwords. Even more, this method relies on sending an SMS message to a smartphone. What happens if the user loses his/her phone? Hackers could quickly generate a password, gain access to the user's Yahoo account, and then mine any data in those emails, such as financial information or login credentials to other linked accounts. Then again, many two-step processes also depend on a smartphone and could face a similar hacking scenario.

"Anything which simplifies the login process is always potentially a good thing, though I'd personally choose two factor over so-called 'one factor' any day," said Chris Boyd, Malware Intelligence Analyst at Malwarebytes in an email to Tom's Hardware. "It remains to be seen how vulnerable to attack the service is, but it can only be a good thing that names known to millions in the technology field are thinking about different ways to revamp the password. Yahoo email is already good at detecting unusual login activity from new locations, alongside offering two factor auth[entication] and backup email accounts for identity verification. With these services enabled, Yahoo users will be about as secure as anybody else using free email services."

Should Yahoo customers use this new authentication system? For those who don't want to deal with a two-step authentication process, this new "on-demand" service is a better alternative to using just a single static password.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.