Re: Secure Yahoo logins

["Roland Postle" <mail () blazde co uk>]

The password is hashed with a nonce (a random, one use, string called
challenge). Here's the javascript straight from the login page:

      var passwd = form.passwd.value;
      var hash1 = MD5(form.passwd.value);
      var challenge = form[".challenge"].value;
      var hash2 = MD5(form.passwd.value) + challenge;
      var hash;
      if(form.passwd.value){
        hash=MD5(hash2);
      } else {
        hash="";
      }

And the challenge is quite long,

<input type=hidden name=".challenge"
value="zpUHXfMLl._2u4tfNw8fBdAKYtkM" >

Thus even if you can watch the traffic both ways you can only break the
password by doing some kind of brute force dictionary search. That
would probably show up a few insecure passwords (if you have a largish
company), but that's not really the fault of the login procedure.

> My other question is if the passwords are encrypted why do they offer a secure login 
> option? How does that increase security, other than adding a brief ssl session.

Because it encrypts your username too? Honestly I don't know. Most
browsers apply stricter security to secure pages, ie they won't be
cached locally etc... That could be it. The passwords coulnd't be brute
forced locally either.

- Blazde