Skip to main content

Yahoo Introduces On-Demand Passwords

One of the big annoyances about using the Internet is remembering all those darn passwords. Many people avoid this headache by using the same password on each site. And as we've preached in the past, that's nothing but bad news, as hackers can gain access to all of your accounts if only one password is used throughout them all. Creating different passwords is a pain, we know, but necessary.

Yahoo seems to agree that multiple passwords can be a burden. To remedy this annoyance, the company revealed a new service that provides passwords on-demand. That's right: for Yahoo, at least, users will not need to remember a password to gain access to their account.

To set this up, Yahoo account holders must sign into their Yahoo.com account, click their name at the top-right corner of the main page, select "Account Security" in the left bar, and click the "Get Started" link. After that, users will need to verify their mobile number by entering a verification code sent to their smartphone (it takes a few minutes).

So how is this different than two-step authentication, which is also offered by Yahoo? With the two-step process, users must provide a password and then another password that's sent to the user's phone. In the case of Yahoo's new service, the only password that needs to be entered is the one sent via text. Once you've set up the on-demand service, that password you initially used to log into Yahoo is no longer needed.

Once the Yahoo user switches on the "on-demand" password feature, they will see a button on the Yahoo login page that will read "Send my password." Click this button, and users will receive a five-character password via text.

Obviously, this system is not as secure as two-step authentication because you're getting rid of one out of two passwords. Even more, this method relies on sending an SMS message to a smartphone. What happens if the user loses his/her phone? Hackers could quickly generate a password, gain access to the user's Yahoo account, and then mine any data in those emails, such as financial information or login credentials to other linked accounts. Then again, many two-step processes also depend on a smartphone and could face a similar hacking scenario.

"Anything which simplifies the login process is always potentially a good thing, though I'd personally choose two factor over so-called 'one factor' any day," said Chris Boyd, Malware Intelligence Analyst at Malwarebytes in an email to Tom's Hardware. "It remains to be seen how vulnerable to attack the service is, but it can only be a good thing that names known to millions in the technology field are thinking about different ways to revamp the password. Yahoo email is already good at detecting unusual login activity from new locations, alongside offering two factor auth[entication] and backup email accounts for identity verification. With these services enabled, Yahoo users will be about as secure as anybody else using free email services."

Should Yahoo customers use this new authentication system? For those who don't want to deal with a two-step authentication process, this new "on-demand" service is a better alternative to using just a single static password.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

  • TechyInAZ
    Thumbs down on this one.

    When somebody get's their mail hacked from him/her exploiting a back door into this thing is when they would of probably wished they made their own PWs. Just sayin.
    Reply
  • drapacioli
    I don't see how this is any less secure anyway since most services these days will email or text you a temporary password if you claim to forget it anyway, so in theory this is no less secure than existing methods, but is far more convenient than remembering a few hundred passwords at once.
    Reply
  • Arabian Knight
    Why not just use the MacAddress as a secondary Password ? we all know Mac Addresses are unique ...

    Or maybe Yahoo sells usb dongles with unique pass on it ?
    Reply
  • triley
    Why not just use the MacAddress as a secondary Password ? we all know Mac Addresses are unique ...

    That's a horrible idea, MAC addresses don't route so the web server has no idea what your MAC address is. It is also trivially easy to get your MAC if you're using Wi-Fi, your phone is probably broadcasting to every access point it sees. You would need some mechanism to query your machine for its MAC which a malicious person just needs software to respond to that query with whatever MAC they wany.
    Reply
  • noxxy02
    I am sorry Yahoo, you cannot have my cell phone number
    Reply
  • f-14
    A) my phone is password protected, still 2 step authentication
    B) so prove you know my yahoo email address by telling me what it is, i don't check my yahoo email by my phone, IT'S A PHONE I'LL JUST CALL OR TEXT.
    C) i think it's really pathetic for any on to check their email on their phone unless they travel and are constantly on the go and can't charge their laptops. a 5 inch screen with 480 pixels is extremely bad for your eyes to be reading email, not even to mention trying to type on something where one finger covers 8 keys on touch.

    i whole heartedly agree with john connor tho, seems like a trick to sign up for robo calls and ads texted to you much like business fax lines get spammed.

    and drapacioli is dead on right. even battle net with the authenticator b.s. does this and the authenticators were 2 step that didn't do much to make it any more secure. there's always a hack for everything.
    Reply
  • Arabian Knight
    15498920 said:
    Why not just use the MacAddress as a secondary Password ? we all know Mac Addresses are unique ...

    That's a horrible idea, MAC addresses don't route so the web server has no idea what your MAC address is. It is also trivially easy to get your MAC if you're using Wi-Fi, your phone is probably broadcasting to every access point it sees. You would need some mechanism to query your machine for its MAC which a malicious person just needs software to respond to that query with whatever MAC they wany.

    This is not what I meant.,

    I meant that Yahoo would not accept any connection from any hardware that does not have that MAC ADDRESS . not to use it as a write in Password.,
    Reply
  • triley
    15498920 said:
    Why not just use the MacAddress as a secondary Password ? we all know Mac Addresses are unique ...

    That's a horrible idea, MAC addresses don't route so the web server has no idea what your MAC address is. It is also trivially easy to get your MAC if you're using Wi-Fi, your phone is probably broadcasting to every access point it sees. You would need some mechanism to query your machine for its MAC which a malicious person just needs software to respond to that query with whatever MAC they wany.

    This is not what I meant.,

    I meant that Yahoo would not accept any connection from any hardware that does not have that MAC ADDRESS . not to use it as a write in Password.,
    I know exactly what you meant, still a bad idea. MAC Addresses are not encapsulated within TCP/IP, meaning they are only used within your local subnet. A web server has no idea what your MAC Address is and there is no current mechanism for them to know. There are also currently techniques to easily spoof MAC Addresses making any network adapter appear as any other network adapter, they are currently used to bypass MAC filtering on routers or switches. Most home routers have the ability to clone MAC addresses in order to fool the ISP into thinking that your entire network is only the single machine that they approved.
    Reply
  • Arabian Knight
    15506053 said:
    15498920 said:
    Why not just use the MacAddress as a secondary Password ? we all know Mac Addresses are unique ...

    That's a horrible idea, MAC addresses don't route so the web server has no idea what your MAC address is. It is also trivially easy to get your MAC if you're using Wi-Fi, your phone is probably broadcasting to every access point it sees. You would need some mechanism to query your machine for its MAC which a malicious person just needs software to respond to that query with whatever MAC they wany.

    This is not what I meant.,

    I meant that Yahoo would not accept any connection from any hardware that does not have that MAC ADDRESS . not to use it as a write in Password.,
    I know exactly what you meant, still a bad idea. MAC Addresses are not encapsulated within TCP/IP, meaning they are only used within your local subnet. A web server has no idea what your MAC Address is and there is no current mechanism for them to know. There are also currently techniques to easily spoof MAC Addresses making any network adapter appear as any other network adapter, they are currently used to bypass MAC filtering on routers or switches. Most home routers have the ability to clone MAC addresses in order to fool the ISP into thinking that your entire network is only the single machine that they approved.


    lol I did not know that. who is the idiot who made it like this ? I thought that scientists are more clever than that.

    cant they build a technology secure enough ? it is easy if you put the rules before designing the hardware. but day after day I discover that the PC hardware/software is designed by fools. we need to redesign the whole internet and PC and operating system from scratch again and make a transition. we cant live into this circle of security holes and patches and bla bla , we need a new Secure System from ground up , not to fix issues with our system that is built on 1970's ideas.
    Reply
  • jrewolinski
    And sell your cell phone number to spammers too I bet.
    I would not trust Yahoo for anything. If you still use their services, STOP! Look at how many times their accounts have been compromised in the past...
    Reply