My point was that the password is unique. I never use the same password for any Internet login. Making your passwords obscure does help when determining the method by which an account is hacked.
I still am yet to find any genuine story where large numbers of passwords (>1000) were sniffed. It's just not feasible to do so in any decent large ISP. So for example, if you're in the domestic US (and I would posit, any western country) it's extremely unlikely anyone will ever sniff more than a handful of passwords. So this yahoo hack certainly isn't that.
What I am hearing (through the channels that I have access to) confirms my theory. Yahoo has some kind of a serious server side vulnerability that is allowing spammers to hijack accounts WITHOUT needing the users passwords. One of my yahoo email accounts was the source of spam but my password was not changed, I wasn't logged in at all when the spam was sent, I only ever log in to that Yahoo account using a LINUX machine and my password is a unique MD5 alphanumeric hash. The fact that I use a hash doesn't make it more secure but it does help to confirm that the hacking was server side.
Mike
From: Gordon JC Pearce <gordon@...>
To: korgpolyex@yahoogroups.com
Sent: Friday, February 8, 2013 8:06 AM
Subject: Re: [korgpolyex] Yahoo flaw - server or client side?
On 08/02/13 03:14, Michael Hawkins wrote:
> I say this because I work in networks and information security and even
> my yahoo email was used to send spam. Now, I use MD5 hashes as my
> passwords, so they are all unique and very near impossible to guess. I
Aww, looks like I got something wrong. I wanted to make the point that
it's generally fairly easy to spoof email senders, but I suspect I got
filtered by Yahoo! Groups.
Anyway, md5 hashes of what? Do you mean your password is a longish
string of alphanumerics? That doesn't guarantee that the password is
secure. Unless you're using SSL it's fairly easy for a malicious user
on your network to sniff your passwords (but not as easy as people make
it out to be in the general case). This is why Kerberos is such a
complicated bugger to work out...
--
Gordonjcp MM0YEQ