Leave a comment


  2. Ray,

    I agree with you that the provider should implement two or even three factor authentication whenever possible. That is without question.

    Nevertheless you do realize, that one of the issues with Yahoo mail is that it uses very weak encryption and only during the login process at that. The user is typing hisher credentials while in HTTP and when the user presses send, the login data is send HTTPS only during transfer over the wire; once authenticated, the Inbox and folders are then served in HTTP (plain text).

    If an email provider cares about their customers it will serve at least 256 through and through. That is, HTTPS 3.0 or better and TLS 1.2 or better.

    …and while some users do need to be more diligent about their security and safety and not be afraid to be called paranoid because they are zealous about it. It is the ISPs and the ESPs, etc. who should bear the blunt of the responsibilities. Not so much the users. The users are adopting technologies and without the users there is no gain.

    Users (in any category) should not have to bear responsibility for something they, at the end of the day, have no control of while paying top dollar one way or another.

    Most of us use complex dedicated passwords and we are zealous self-respecting cyber citizens and yet we get ransacked. I’d say it is the responsibility of the provider to keep me safe while I practice safe surfing.

    What are your thoughts,

    ~ Virginia Benedict
    Professional Social Media Managing Curator (cir 1992)
    Market Engineering Strategist (cir 1984)
    IT Systems & Network Security/Computer Forensics (cir 2000)
    Technologies Analyst (cir 1989)

    Member Microsoft Technical Communities
    Powered by Office 365/SharePoint

  3. Thanks for talking about SICMyP.

    Just to answer your questions regarding the 200K. Whilst we’ve had a big influx of new visitors with the Yahoo! breach, 200K is a pretty average week for us. The 12 million have been identified over the last 13 months. I’ll let your readers to the Math.

    If anyone has any questions about the site, please don’t hesitate to ask.

  4. Virginia,

    Thanks for the comment and I couldn’t agree with you more that the provider of online applications like mail should be doing a much better job of securing the data that they are entrusted with. The challenge is that these services are often free and other than brand damage, there is no real consequence for the provider, in this case Yahoo!, to implement higher security controls which come with a cost. Now we all know that the data mining performed by mail provided would more than cover the cost of these upgrades to security, but until the consumer demands higher security or is willing to pay for a more secure service I am afraid these types of services will continue to be security light.

    I also understand you point about passwords. I know many people in our field understand the need to have complex passwords and to change them at regular intervals. But this is simply not the case with your typical consumer. I have written several posts on this over the past year and it always amazes me that whenever there is a breach where passwords are revealed some of the top passwords in use are “password”. This shows that we are a long way away from consumers understanding the importance of practicing good personal online security practices. Which the site “Do I need to change my password” is not necessarily a great resource for security conscious people, it is a good education tool for those who have no idea what is happening on the other side of their screen.

    All the best,


  5. Shayne,

    Thanks for the comment and the offer to answer questions. It is crazy to see how many records have been published in such a short amount of time. I guess we all knew it was a lot, but I personally have never added up all the breach totals to see the full picture. I believe this is an interesting topic for our readers and hope that it helps educate people on the need to have secure password practices.

    Thanks again,


  6. Ray,

    The solution is for the portal/site not to accept certain types of passwords at all. We are benining to see this practice more and more.

    As far as “Free” service… hmmn!? I am a firm believer that nothing in life is free and to boot if they were not offering the email service they would have no advertisers’ revenue streams…

    Regarding your main discussion topic, my answer is a big YES! The site owner should require the guest/member to change their passwords at adequate intervals.

    Thank you for all your support and good wishes.

    Virginia Benedict

Related posts: