Attorney General Kamala D. Harris Advises Consumers to Strengthen Password Practices In Wake of Yahoo Breach

Thursday, September 29, 2016
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

SAN FRANCISCO – Attorney General Kamala D. Harris is advising Californians to secure passwords connected to online accounts in light of the Yahoo breach announced last week. The company confirmed an incident that may have exposed the personal information of at least six million California users.  The information compromised in this breach included passwords, names, email addresses, telephone numbers, dates of birth, and encrypted or unencrypted security questions and answers.

Not only are Yahoo’s email account-holders at risk, but also Yahoo Fantasy Sports, Yahoo Finance, Flickr, Tumblr, and more under the Yahoo umbrella are at risk. Anyone who has ever had a Yahoo-related account, even if the account was created many years ago, should take steps to change passwords and security questions. 

The Attorney General offers the following tips to all Californian who may have been affected by the Yahoo breach:

Change Yahoo Passwords Now. If you use the same or similar password for other online accounts and platforms, change those too.

Refresh Password Routines  

  • Do not use the same passwords over and over again, change them periodically.
  • Different passwords should always be used for different accounts.
  • Use at least eight characters in your passwords at a minimum. Mix in letters, numbers, and symbols (For example: $+r0^gh@h@).  It may be helpful to use a “Password Manager” to keep track of all passwords as discussed below.
  • Never use your social media material in your passwords. This includes pet names, schools, favorite songs, and children's names.  

Try Password Managers or "Safes.” Password Managers are software programs that let you randomly generate different strong passwords for all your accounts and store them securely. You only have to remember one password (or passphrase) to open the safe. Free versions include KeePass (for Windows, OS X, Linus, Android and iOS), Password Safe (Microsoft Windows), and Keychain (for Mac). Many browsers also have password managers.

Protect password managers with a passphrase that you can memorize and that is still hard to crack (like seventeenbluequicklypacifier). But do not use a phrase that has appeared anywhere publicly - such as seventeenbluequicklypacifier (now that it has been posted here!)

Avoid Personal Facts on Security Q&As.

  • Pick obscure security answers that do not appear in public records and are not related to what you share online. As with passwords, if you post pet names, schools, favorite songs, and children's names on the Internet, do not use them for security questions.
  • Make answers to security questions like passwords: Add numbers or special characters. For example, answer “What was your first pet's name?” not with Rover’s name, but with “D0na1Duck%.”

Use Two-Factor Authentication Where Available (especially for email). A two-step procedure enhances email security and safeguards against fraud by pairing “something you know,” a password, code, pass phrase or PIN, with “something you have,” a physical token, chip, fob, or phone.

If you choose this option, email platforms such as Yahoo Mail, Outlook and Gmail allow you to use two-factor authentication to protect your account. For example, you input your password, and request that a one-time-use code be sent via text to your phone. The email service texts the code, and then you type the code in when you log in.

Account Takeover. If you believe that your email account, or another online account, has been taken over by someone who’s using your credentials, contact the company’s help center or security center. Yahoo’s is at https://help.yahoo.com. In some cases, you may find that getting a police report of identity theft is necessary to help you reclaim your account.

More:

National Cyber Security Alliance on two-factor authentication.

Electronic Frontier Foundation, Passwords: LinkedIn and Beyond.

Bruce Schneier, Password Advice.

California Attorney General’s Identity Theft Victim Checklist: English, Spanish

# # #