It merely means that they are most likely looking for spaces with client-side JavaScript, and rejecting any string that contains spaces.
Or, they're checking the string server-side, before hashing and storing the hash to their persistent data store.
Either way, as long as the connection is secure, it's reasonable to inspect the string in plain-text, both client-side and server-side, before creating the hash, as long as they actually create the hash when they do actually decide to save a representation of the password, rather than saving the plain-text password itself.
Part of me would like to guess that the reason spaces might be forbidden in passwords (and pass phrases) would be to prevent frequency analysis. But that doesn't really make much sense, when it comes to hashes, does it? So then, might the case be that they are storing the passwords with reversible encryption, and decrypting the token for a match? In my mind of minds, I doubt it, but you never know. What I really think is that the password policy is simply contrived and idiotic, and whatever rationale they've used to forbid spaces is silly and ill-conceived.
Either way, I agree with the author, whole-heartedly. That is a damned frustrating sign-up process. Two-factor account creation AND a CAPTCHA check? Holy moly!
> they're checking the string server-side, before hashing and storing the hash to their persistent data store.
But why? People don't just add a rule because they feel like it, I'm suggesting that they are storing it in a stupid way that is not hashed and does not allow spaces.
> part of me would like to guess that the reason spaces might be forbidden in passwords (and pass phrases) would be to prevent frequency analysis.
The output of a cryptographic hash is completely random, you can't do any sort of analysis except for determining H(a) == H(b). You don't even know if H(b) was the same input as H(a) or just a collision against it.
To be fair, any other way would be lead to convoluted rules like "no consecutive spaces", "no leading/trailing spaces" or "spaces don't count towards the password length".
This is exactly why forcing users to use strong passwords is a shit idea in the first places. The rules either become ridiculously complicated or you disallow perfectly good passwords. There's no middle ground.
You're drawing conclusions from information that doesn't lead you to one.
All CAPTCHAS are a pain, but the reasons for having one are fair.
The phone verification is a more interesting issue. When I created an account yesterday, it never asked anything about phone verification. And some people don't perhaps have phone access who could be trying to register? If it is randomly mandatory, that's a decent pain and privacy issue. I'm guessing it's probably opt-in or opt-out though
Do I agree with all their decisions? Not really, but I can see why they were made
Otherwise, the more I read about these experts who can get 90% of a 16k password hash list figured out in a few hours, I can't think how MyAuntSally1 is any safer than donkey
Yahoo usernames were required in 2007: http://news.bbc.co.uk/2/hi/technology/6316761.stm
Maybe instead of spending billions buying and "sunsetting" random mobile apps or mediocre blog platforms Marissa should dedicate a single high school dropouts salary to fixing the damned thing.
I've all but given up on logging into any Yahoo! property at this point.
Maybe some day, Yahoo will get their heads out of their asses and restore access to my old photos. I'm not holding my breath.
