Don’t worry – Yahoo has come up with a solution for those who haven’t yet discovered the benefit of using a password manager.
Yes, everybody’s fourth favourite search engine has announced what it call as “a new, simple way to log in”.
Chris Stoner, Director of Product Management at Yahoo, gushes that rather than require you to remember your password, the site will now send you an SMS text message containing a one-time password:
Today, we’re hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorize a difficult password to sign in to your account – what a relief!
In some ways, that sounds quite cool. For instance, if you needed to log into your Yahoo Mail account on a suspicious computer in a hotel lobby you might (quite rightly) feel very uncomfortable entering your password on a PC that might be harbouring some keypress-logging malware.
With a one-time-password you don’t have to worry so much about bad guys grabbing it, as it is only useful that “one-time”. And provided your smartphone isn’t itself compromised (perhaps by spyware), hackers are unlikely to be able to grab the unique passcode for unlocking your account.
But there’s a problem with only requiring you to have your mobile phone to log into your Yahoo account, and it’s this… what if someone else has your phone?
Can you put your hand on your heart and say that you have never left your phone unattended somewhere? Never walked away from your desk to make a quick visit to the water cooler, and left your iPhone sitting on your desk?
If access to your online accounts is only controlled by who has access to your phone – that’s not a good thing! All an unauthorised user would need is your Yahoo username and their paws on your mobile.
Remember too – depending on how you have configured your smartphone, someone may not even need to unlock your device to read the SMS message it has just received from Yahoo.
Or perhaps you’re one of those twerps who doesn’t even have a passcode on your smartphone?
At the very least, expect the office pranksters in your office or college to try to abuse the system to gain access to your account.
Fortunately, there don’t appear to be any plans to enable this feature on user’s accounts without their permission. You’ll have to log into your account with an old-fashioned username and passwords to turn it on.
Here are the instructions from Yahoo on how to do that (if you dare):
1) Sign in to your Yahoo.com account.
2) Click on your name at the top right corner to go to your account information page.
3) Select “Security” in the left bar.
4) Click on the slider for “On-demand passwords” to opt-in.
5) Enter your phone number and Yahoo will send you a verification code.
6) Enter the code and voila!
Yahoo says that “on-demand passwords” are only currently available for United States users, but presumably they plan to roll it across more countries over time.
Personally, rather than making things “simple” for users who cannot remember their passwords, I would have preferred to have seen Yahoo promoting the usage of password management software like Bitwarden, 1Password, and KeePass which would similarly make it unnecessary to remember passwords… and perhaps encourage stronger, unique passwords at the same time.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.