Nigel's notes

Random thoughts on the world of kink

Notes for kinksters on the Yahoo password hack

fetish sites / September 23, 2016 /

Yesterday the news broke of a massive hack of Yahoo data, which took place in 2014, but has only been revealed now. There have been several similar high-profile hacks lately, and so I thought it worth taking a look at this topic, in particular from the point of view of kinksters – though the notes here really apply equally to anyone who values their privacy and that of others.

I’ll try to explain simply what’s happened, what you should do about it, and what steps to take in future, too.

What’s happened?

According to Yahoo, some details of up to 500 million accounts are believed to have been obtained by someone, possibly a foreign government. That information could include security questions and answers (“What’s your mother’s maiden name?”) and a ‘hashed’ version of your password. Other details may include phone numbers, birthday, but apparently not information like credit card details.

What’s a hashed password?

A hashed password is a password that’s been run through computer algorithms, so it can’t be recognised. It’s hard to turn back into an actual password, but hackers can guess a password and if the algorithms give the same ‘hash’ then they know their guess was right. So, this is less worrying than having the actual passwords stolen, but still a concern.

But I don’t use Yahoo, so I’m safe, aren’t I?

Are you sure you don’t use Yahoo? As well as their own Messenger and Email service, Yahoo runs Tumblr and Flickr. They used to own Geocities, and various other sites too. So you might have a Yahoo account without really being aware of it. There are a total of 1 billion accounts – half of which may have been compromised. Fortunately, Yahoo says they will contact people directly affected.

What should I do?

If you have a Yahoo account, I recommend you change the password, as soon as you can.

Make it a long password, that is hard to break. And don’t use the same password as on other sites. As I’ll explain below, I think this is particularly important for the kink community. I’ll also give some tips on good passwords.

I linked my Twitter/Tumblr/Facebook or other social media account. Is that at risk?

Typically, when you link sites to social media accounts, for example to allow them to Tweet automatically when you upload photos, or share stuff to your Facebook timeline, a special system called OAuth is used. Without getting into the technical details, this means that – for example – you never actually gave Yahoo/Flickr your Twitter password. Twitter checked it, and said to Yahoo, “OK, you can post tweets as that person.”

So, if someone has your Yahoo password, they don’t get your Twitter password. But they might use features on Yahoo that would cause a tweet to get sent – like adding a new photo, say. Once you change your Yahoo password, of course, they can’t do that.

Most sites that allow you to link them to others will have a page somewhere in their settings that lets you revoke permission. For example, on Twitter you can click Settings then Apps, and you’ll see a list like this, showing all the sites and apps allowed to use your Twitter account. If you’re worried, you can revoke access there.

Twitter's app permissions - you can remove another site's ability to post tweets for you

Twitter’s app permissions – you can remove another site’s ability to post tweets for you

On Facebook, the same info is also under Settings and then Apps, and looks like this. If I was worried about the Yahoo hack, for instance, I could hover over the Flickr item, and click Remove. Though, as I said, if you change your Yahoo password, you should be fine – and chances of someone using access to your Yahoo account to upload a photo to Flickr that would embarrass you if it was Tweeted are quite small.

Facebook has a similar permissions page. Check regularly to see who can post on your behalf

Facebook has a similar permissions page. Check regularly to see who can post on your behalf

Nevertheless, I’d also like to say it’s a good idea, from time to time, to review what apps and sites you have given access to your social media accounts, and remove any you don’t recognise.

What’s a good password?

For starters, make sure it’s hard to guess. So, don’t pick the name of your partner, with their birthdate put on the end, for example. Too easy. If a site allows, you can use a long password – perhaps a line of a poem – but not all of them are smart enough for that, and many include odd restrictions, like certain types of letter.

The best way to cope with all these is to use a password manager app. These are programs that work with your web browser, storing (encrypted, so they can’t be opened by other people) all your passwords. They can also create passwords for you, which will be very hard for people to guess. When you start your computer, you enter the master password for the password manager, to unlock your ‘vault.’

Which password manager?

The two most well know password managers are LastPass and 1Password. Both have free versions (on 1Password, for mobile only), but offer even more for people who pay – for example, with the Premium version of LastPass, my passwords are synchronised between my computer, my tablet and my phone.

Update, 6th December: Since this piece was first written, LastPass has included the  synchronisation between devices in their free edition. Consequently, that is now the choice that I recommend

As you can see here, LastPass (which I use) has lots of options, including trying to make them pronounceable, and you can include or exclude certain things, to meet the criteria of different sites.

A password manager can create good passwords for you, and remember them

A password manager can create good passwords for you, and remember them

If you don’t want to spend the money, one alternative might be to come up with a good strong password, and use a  variation of it on different sites – for example adding something like a friend’s nickname on that site to the start or end of a common password.

But whatever you do, don’t use the same password on more than one site.

Why can’t I just use one password?

Using the same password exposes yourself to much greater danger. Imagine someone’s cracked your Yahoo password after the hack – and remember they may also have your birthday and other information, as a result of the same hack.

If you’ve used the same password for your online banking, they can now access that. That could be catastrophic for you. Whatever else you do, you should always make sure any financial service you use online has a password that isn’t the same as the one for anything else you do on the internet.

Can’t I just use one password for all my kink sites?

A common habit lots of people seem to have is to take good advice and not use the same password for “important” things like banking as they do for other sites. But, instead of remembering lots of different passwords, they use the same one for lots of the “not important” sites.

You could be putting other people at risk

Perhaps you’re one of the “I’m not ashamed to own my kink” type of people. That’s great – I’m one of those too. But not everyone is lucky enough to be in the same boat, and as kinksters we have a special responsibility to not expose each other, I think.

You might be wondering how this could happen. Say you’ve got a kinky Tumblr, which of course is part of Yahoo. And because all these things aren’t “life or death” you’ve used the same password for some dating or hookup sites, say Recon and BLUF.

Now, as a result of this hack, someone potentially has your Yahoo password. They means they also have the password to your Recon and BLUF accounts. If they access either of those, they can potentially see photos, and profiles that are not visible to the public, of people you may not even know. Those people have now had their interests outed to a third party, because of your shared password.

Anyone you exchange messages with could have more details exposed, because a hacker is able to view what’s in your inbox on those sites.

Perhaps – especially as it’s considered likely to have been a foreign state behind this hack – you might think this is an unlikely scenario. And yes, it is. More likely is an upset former partner, whom you once trusted to know your password, or someone who has decided to target you specifically.

The point is: sharing passwords doesn’t just put you at risk. It can compromise the privacy of other users on sites that you visit. It may result in aspects of their life being outed, without them having any say in it.

Never, ever, re-use passwords on different sites. Use a password manager to create a separate password for each one.

More useful information

Many sites offer the option of something called “Two Factor Authentication.” (It’s sometimes also known as multi-factor). If you can turn this on for sites you use, it’s a good idea. There are various ways of doing it, but it essentially adds an extra thing you must do before being able to access a site, typically entering a code number, which is either produced by an app on your phone, or sent to you by text message.

So, that means that even if someone knows your password to a site, if they don’t have your phone to get the code number, they still can’t log in. You can turn this option on for your Yahoo and Google accounts, and I strongly recommend that you do so. You can also use it with the LastPass password manager, too, so a code is needed to unlock all the passwords you’ve stored.

Have I been compromised?

If you have been a victim of the Yahoo hack, you should get an email from them, letting you know. Of course, there have been many similar hacks in recent years, including sites like MySpace, Ashley Madison, Adobe and LinkedIn, with hundreds of millions of people’s details compromised.

A useful site called Have I Been Pwned has been set up by a well known security researcher. You can enter your email address, and it will tell you if it is found in the hacked databases from a range of sites. It’s a good idea to check there from time to time.

Have I Been Pwned will tell you if your email address appears in the data from some major security hacks

Have I Been Pwned will tell you if your email address appears in the data from some major security hacks

Tags : | |