On Wed, 5 Dec 2012 17:49:00 -0800, "David Kaye"
There's also the problem of where to change the passwords. Where does
one look? On the AT&T DSL web site? On their AT&T telephone account
page? For Yahoo, perhaps buried under the mail classic, mail enhanced
or mobile mail menus? Of course, it's different if you have a
business or residential AT&T account, or Yahoo free or Premium
accounts. I just tried to find the password menu under my Yahoo mail
classic account. I had to resort to using the help, which led me to
an account config page that is inaccessible from the email pages.

This is suppose to help:
"Change or reset your AT&T passwords"
<http://www.att.com/esupport/article.jsp?sid=KB401397&cv=801>
Note that AT&T doesn't supply instructions on how to change passwords
on older AT&T supplied DSL modems. Even if I point my customers to
the exact web page, I still get calls asking *ME* to change their
passwords for them. Oddly, it's easy to change both passwords using
the AT&T automated support AVR thing. Just say "password change" at
the voice prompt and follow instructions. The problem here is that
security is minimal. All I need is a copy of ANY of the customers
phone bills, and I can change their passwords.

Some of the non-AT&T ISP's that I deal with are no better, and for
some odd reason, seem to hide the password change web page as some
misguided security measure. I guess they're following AT&T/Yahoo's
example.

With the PPPoE login password sometimes in the modem, sometimes in the
router, and sometimes on a computah, there are other ways to screw it
up. Very often, the user changes the DSL password but doesn't change
it in the DSL modem. No problem because as long as the DSL modem has
power, it will continue to function normally for several days, with
the old wrong password saved. Eventually the DSLAM will reboot the
modem, try to issue a new IP address, or the AC power may glitch, and
the modem reboots, fails to login, and I get a phone call. It's easy
enough to fix, but since the customer remembers all the problems
started when they changed their password, they are rather reluctant to
change it again in the future.

To AT&T's credit, the new and improved ADSL2+ service (U-verse) does
not use PPPoE and has no passwords saved in the marginal Motorola DSL
modem/router. PPPoE was a mistake, but AT&T will never admit it.
Probably true.

My big worry are apps and malware stealing my "saved passwords" file
used by various browsers. I'm guilty of using far too many
convenience features that are really security risks. I then multiply
the problem by duplicating these files on multiple computahs.
<http://securityxploded.com/yahoo-password-decryptor.php>

Depends on how you define "account" and "secure". For example, the Yahoo
web client only uses SSL to start a session. Once it's started everything
else is in the clear and vulnerable to say for example a Firesheep
session-jack. On the other hand, the Gmail web client encrypts everything.

The account that I use for Yahoo Groups gets spammed and phished a bit.
But I'm wise to that but I suspect non-tech people wouldn't be so
much. I get a kick out of the phishes and how stupid the sender is.
Love to send them off to prison if I had more time.

I get less though of the spam where someone signs up for something using
the email address thinking maybe just entering an email address would
give them access somewhere. Dummies! Annoying but easy deleted as it
went into one junk folder.