

Tell HN: Yahoo security policies are retarded. - vaksel

So I decided to go back through my old email accounts to reset my secret questions/answers to something a little bit harder to guess than my place of birth.<p>So Google was no problem, you can login and change everything right away.<p>Not so with Yahoo. Which is by far the most important account, since its about 10 years old and pretty much all accounts are linked there.<p>First of all you can't change the secret question/password in settings. Only after Googling, did I find out that you need to fill out a form to have a customer service rep let you change it.<p>2 days later, I finally get a reply from a Yahoo rep with a link to reset the secret question.(talk about a waste of resources) Great, I can finally change it to something harder to guess.<p>Success...or is it. I go back to retrieve my password page, and yes, it prompts me for a new secret answer. Except...what's this..."This is not my question" link. Clicking which, I get asked my dob(pretty easy to find out) and then it shows up the old secret question which I went through such pains to change.<p>I mean how stupid is this...they make you jump through hoops to change something that important, and then for your convenience they let you use the recovery option that you tried to change.<p>And if you are inconvenienced as a hacker by this password recovery option, no worries Yahoo will provide you with the spelled out email addresses which might be less secure. Meanwhile, Google will do the right thing and mask your email address <i></i><i></i><i></i><i></i>@h<i></i><i></i><i></i>*.com<p>I mean seriously, how are these guys still in business?
======
brk
I know mine is not always the popular opinion on this topic, but for something
so "important" as email, I don't know why people rely on free service like
yahoo, gmail, etc. There are just way too many things out of your control.

My primary mail accounts are linked to a domain that I own/control. They're
also on a dedicated server in a colo facility, but I will say that is overkill
for most people.

I can pick up my domain and host it just about anywhere I like, in most cases
for less than $5 or $10/mo if I wanted to be uber-cheap about it.

~~~
vaksel
I have that now, its just that I used to use Yahoo before, and with 27,114
emails in the inbox its a little hard to find what websites have that email on
file. That's why I wanted to change the recovery options, to pretty much make
that account inaccessible.

------
Alex3917
It's actually a lot worse than that. One time I tried to make a second Yahoo
account to send anonymous emails from. Somehow Yahoo figured out my real name
and filled it in under the account. So I went in and manually deleted my name
from the account, and then in the settings changed it so that my name wouldn't
appear when I was sending out email from the account.

Then I sent a test email to make sure it really was anonymous, and sure enough
my name was still attached to the account. (I even tried sending test emails
to someone else who had never gotten email from me to make sure it wasn't my
email client playing tricks on me.)

Anyway, if I had actually sent out email thinking it was anonymous then I was
have been seriously screwed. What Yahoo is almost certainly grounds from a
lawsuit.

