Yahoo probes possible huge data breach

<i>However, attempts to contact more than 100 of the addresses in the sample saw many returned as undeliverable with auto-responses reading: &quot;This account has been disabled or discontinued,&quot; which might suggest that the data is old.</i><p>Or another sad possibility is that this may be representative of any sample of yahoo email addresses.

In the interest of making this a learning experience for myself and others, I would like to get any feedback on the following questions.<p>What would be considered as strong&#x2F;good&#x2F;secure password&#x2F;authentication algorithms if one had to implement this today?<p>What would you recommend today as a good&#x2F;secure authentication library that one can use with a micro framework like Python Flask (or others)? What about the authentication library in the batteries included Django framework?<p>What about recommended general authentication libraries for other web application frameworks such as Phoenix&#x2F;Elixir, Node based, Go based, etc?<p>Here are some links from OWASP&#x2F;Google that offers some details:<p><a href="https:&#x2F;&#x2F;www.owasp.org&#x2F;index.php&#x2F;Cryptographic_Storage_Cheat_Sheet" rel="nofollow">https:&#x2F;&#x2F;www.owasp.org&#x2F;index.php&#x2F;Cryptographic_Storage_Cheat_...</a><p><a href="https:&#x2F;&#x2F;www.owasp.org&#x2F;index.php&#x2F;Password_Storage_Cheat_Sheet" rel="nofollow">https:&#x2F;&#x2F;www.owasp.org&#x2F;index.php&#x2F;Password_Storage_Cheat_Sheet</a><p><a href="https:&#x2F;&#x2F;docs.google.com&#x2F;document&#x2F;d&#x2F;1R6c9NW6wtoEoT3CS4UVmthw1a6Ex6TGSBaEqDay5U7g&#x2F;edit" rel="nofollow">https:&#x2F;&#x2F;docs.google.com&#x2F;document&#x2F;d&#x2F;1R6c9NW6wtoEoT3CS4UVmthw1...</a>

Am I right in understanding that the passwords were hashed with MD5? WTF?

Oh man, all of my spam, and mail from people I didn&#x27;t want having my real address will be compromised.

<i>Using the name Peace, the hacker said the data was &quot;most likely&quot; from 2012.</i><p>So you&#x27;re saying as long as you updated your password from the 2014 breach, you should be fine.

Rather timely, given their recent buyout.

What&#x27;s shocking to me is that Yahoo! still uses MD5 hashes. Those can be decrypted almost instantly with hashcat and tools like it. There&#x27;s some confusion about the age of data in question but I hope they&#x27;ve moved away from MD5 since the breach occurred.

&gt; The passwords appear to be hashed - which means they have been scrambled - but the hacker has also published details of the algorithm allegedly used for the hash.<p>I like how BBC triedto explain what cryto hash does to plaintext, but this is a poor way to describe what hash is because scramble means re-ordering, but hashing doesn&#x27;t reorder. I hope this reporter takes time to come up with a different way to explain to general public.

Can I admit seeing this right above the Verizon post (as it is right now) makes me giggle<p>Well, I&#x27;m not sure Verizon is going to love NOT being a dumb pipe...

If some of these accounts have been deleted how has a hacker got a username and password for them?

Grammar police: &quot;Yahoo probes possibly huge data breach&quot;