On 2018-03-25 at 19:47 +0100, Brian wrote: > 1 day after the breach your data had been compromised. Changing your > password 10 days later on in your 1 month cycle doesn't seem to me to > be reactive security. Better than nothing, I suppose, but closing the > door after etc. > > In any case, your 20 character, high entropy password was your ultimate > defence. (Not unless Yahoo! didn't hash).
Sure. If someone stole your password, be that by compromising and injecting a password-stealing javascript server side, due to a sslstrip you didn't notice on that free wifi, perhaps just someone looking at the keys you pressed when entering your password, etc. the data you had up to that point in that service should be considered compromised. However, if the password was changed N days/months later, as part of a periodic password change, that would mean that data processed after that date would no longer be in risk, whereas otherwise the account would continue being accessible by the bad actors for years (assuming that you are not using a pattern that removes the benefit or rotating the password!). Regards