Yahoo Password. WTF!



  • Most of my Yahoo mail are SPAM anyway, so they're ignored. However, today I received an "official" email from Yahoo confirming the suspension of a couple of sub-accounts. As a Yahoo/AT&T DSL subscriber, I get to create sub-accounts for friends and family. The only problem is that I've never created any.

    Suspecting a password compromise, I logged on to change my password. Lo and behold! The new password didn't take. I followed standard secure password practices and entered a password with lower-case letters, upper-case letters, a couple of numbers, and a couple of special characters. After squinting at the fine print on the Yahoo password change page, I found the following:



    Choosing your password

    • Must be 6-16 characters long
    • No spaces, punctuation, or special characters
    • Capitalization matters
    • Cannot be the same as your Member ID
    </div><br>Rule 1, 3 and 4 makes sense. But no special characters? WTF!&nbsp; I shrudder to think Yahoo is advising its users to use insecure passwords.<br>


  • And I shudder to think about the code that imposes these braindead restrictions...
    As for being insecure, a 16 characters long, letters and numbers password is still reasonably secure from a brute force attack.



  • Perhaps the password is transmitted in the URL as a GET-parameter, causing these restrictions. That would be really secure...



  • @togasan said:

    • No spaces, punctuation, or special characters


    Skype has this restriction as well. It's quite silly...



  • I've seen this quite a bit lately.  I think it comes from frustration born out of dealing with problems caused by special characters in fields. eg sql injection attacks, trying to parse fields a delimited string and have your separator character being used, or, my favorite recently.  An xml request that expecta < or > half the time and &lt; or &gt; the other half



  • I recently signed up for World of Warcraft a few weeks ago.  Tried to do a standard password and discovered it wouldn't allow special characters either.  And we're not talking any sort of funky special characters... I was trying to use a period in it.  :/



  • I've never had that problem on Yahoo. In fact, my current Yahoo password has special characters in it. I don't use Yahoo as an ISP, though, so maybe it's a different restriction.

    What really gets me is that my banks won't allow me to use special characters. In fact, one of the banks I do business with had me create a password when I opened the account, and accepted my password just fine, only to tell me that special characters were not allowed when I tried to login later. I had to call them and have them reset the password so I could login.



  • @Penguin Man said:

    I've never had that problem on Yahoo. In fact, my current Yahoo password has special characters in it. I don't use Yahoo as an ISP, though, so maybe it's a different restriction. What really gets me is that my banks won't allow me to use special characters. In fact, one of the banks I do business with had me create a password when I opened the account, and accepted my password just fine, only to tell me that special characters were not allowed when I tried to login later. I had to call them and have them reset the password so I could login.

    <FONT face=Tahoma>Sadly, this happened to me as well, but in one of my employer's web application. They enforced some password complexity standards (should consist of uppercase, lowercase, numeric and special characters, must not repeat any of your 5 previous passwords, etc).

    My password worked well in all applications (credentials through AD) except one. When I contacted help desk, they said I should just change my password.

    Why enforce a policy when not all of the applications adhere to the standards?



    </FONT>



  • @Arancaytar said:

    Perhaps the password is transmitted in the URL as a GET-parameter, causing these restrictions. That would be really secure...


    We have a function for transmitting 'special' characters in URLs.  It's called urlencode() in most languages.



  • @SpComb said:

    @togasan said:
    • No spaces, punctuation, or special characters


    Skype has this restriction as well. It's quite silly...


    It's probably easier to say "no special characters" than it is to say !@##$%^&*() are okay but '"/ are not.



  • @savar said:


    It's probably easier to say "no special characters" than it is to say !@##$%^&*() are okay but '"/ are not.

    As you've just demonstrated. Probably you meant ' " \

    :)



  • Last year, I had to delve into the internals of some Yahoo software.



    It's not good.  It's painfully amateur and blunt as a caveman's
    club, in fact.  For some reason I had deluded myself into
    believing that something in such wide use must be held to a high
    standard.  Boy was I wrong.



    The theory that the "special characters" rule is an idiot's workaround for SQL injection possibilities is probably right on.




  • @Penguin Man said:

    I've never had that problem on Yahoo. In fact, my current Yahoo password has special characters in it. I don't use Yahoo as an ISP, though, so maybe it's a different restriction.


    Yeah, I'm pretty sure it's an ISP thing. I've had my yahoo account before using them as ISP, and I used special characters in my password. I suspect the people responsible for the ISP version of Yahoo are not the same people responsble for the non-ISP version. Either that or their integration is just not all that great.

    It is unbelievable if they prohibit special characters in passwords to help protect from SQL injection, as it is not a new problem. There are various methods to sanitize user input... But then, they just had a merger. Perhaps they no longer have the same people managing their site.



  • My bank doesn't allow special characters for online accounts and when you try to use them, the server returns some kind of "flagrant error". Sort of silly since online banking should be as secure as it can be.



  • One of the systems we use here has two slightly different front ends
    (same everything apart from the final presentation - windows or
    terminal based). They have differing password requirements. e.g. one
    accepts spaces in the password, the other will tell you that you
    entered the wrong password.



    All standard printable characters in the target region should be a
    minimum for passwords, or at least those accessible from the keyboard.



    Then again, is a space a printable character since it doesn't actually print anything? :-O



Log in to reply