Whackiness, predictably, ensues:
https://medium.com/editors-picks/46b47d95b957
You can do the math how this might affect you, your services, and your users,
if you have those.
Will people *ever* start listening when we tell them how Bad an Idea
something is? The RISKS are endless...
Cheers,
-- jra
The issue was studied thoroughly by a committee of MBAs who, after extensive thought (read: 19 bottles of scotch), determined that there was money to be made.
whatcouldpossiblygowrong?
- Pete
To their (partial) credit they are also supporting a new email header :
Require-Recipient-Valid-Since:
via draft-ietf-appsawg-rrvs-header-field
The idea of this header is that it will allow a sender to control that a
user will only receive an email if that email address was valid before a
specific date, thus at least stopping someone from using a recycled account
to carry out a password reset on another service.
Facebook at least is already sending this header on all emails.
Overall this is nothing new - Hotmail has been doing the same thing for
years.
Scott
When I used to use Hotmail - Your account was dropped after 30-60 days
of non-use.
Whereas Yahoo kept accounts active forever until recently.
Granted it's been >15 years since I've used a Hotmail account
regularly. Microsoft *may* change their policies more often than that.
Overall this is nothing new - Hotmail has been doing the same thing for
years.Scott
When I used to use Hotmail - Your account was dropped after 30-60 days
of non-use.Whereas Yahoo kept accounts active forever until recently.
as an ex yahoo security guy for many years, my recollection is this isn't the case.
starting 8-10 years ago accounts which went dormant for extended times had actions taken on them.
e.g. free accounts not logged into for a while (order of a year) had their old email archived, or maybe even erased,
i am not recalling exactly which...
accounts already in that inactive state could at any point have their names reclaimed, but the process of
doing that was (as i recall) a manual and infrequent one. i remember it happening two or three times
over about 8 years, so that would make it a big batch about every year or two.
(several kinds of accounts, such as paid accounts, accounts managed for partners such as sbc and
rogers, and those deactivated for abuse were kept around forever in the deactivated state so they
couldn't be ever reregistered and reused for similar abuse.)
(yahoo internally understands the difference between the old account and the newly registered eponymous
account because account registration date (at the granularity of a week) is logically part of the yahoo id
whenever ids are used, exported, compared with other ids, looked up or stored in databases, etc..)
(it was a fairly common bug we would find in our security reviews for programmers to ignore
the regweek, for example, when exporting lists of ids for some purpose).
btw:
i don't think it's so unreasonable to treat a free account that hasn't been logged into for 2-3 years as
abandoned. i agree it can have unfortunate side effects (particularly domain name takeover
of long-registered names).
in its early days, one of the reasons people switched to gmail was that they could get a better name there
than e.g. blah32975@yahoo.com.
(this was slightly exacerbated because for a number of years if someone had mis@yahoo.com,
the cohort address in other ccTlds such as blah32975@yahoo.co.uk was also not available to be
registered.)
approximately 5 years ago, yahoo split out some populous countries into their own name
spaces, which made a lot more names available to be registered. there was a land rush,
in fact, to register "good names", and some people were not-so-amusingly trying to sell them.
To their (partial) credit they are also supporting a new email header :
Require-Recipient-Valid-Since:
with no X- before it?
randy
Scott Howard wrote:
The idea of this header is that it will allow a sender to control that a
Sender has no control and asks a receiver perform some control,
which may be ignored by the receiver.
user will only receive an email if that email address was valid before a
specific date, thus at least stopping someone from using a recycled account
to carry out a password reset on another service.
It does not work as protection against transferred domain.
Facebook at least is already sending this header on all emails.
Someone might want people keep using mail services monitored by
USG.
Masataka Ohta
In article <m2mwnt84po.wl%randy@psg.com> you write:
To their (partial) credit they are also supporting a new email header :
Require-Recipient-Valid-Since:with no X- before it?
Well, yes:
draft-wmills-rrvs-header-field-01.txt
R's,
John
Back when I ran nether.net as full scale public access, I would reap unused accounts after some period of time..l don't recall anymore as that was almost 15+ years ago now. But one month seemed like the right number. I had almost 100k accounts at most points... Was fairly crazy.
A least the Internet archive captured some of the cool stuff the users did back then.
- Jared
Apparently it was implemented by a group of low-bid programmers in a far off land.
I have, err, had, a Yahoo! account I used for two things, getting e-mail from Yahoo! groups and accessing Flickr. I was on Flickr not a two or three months ago to fix a picture someone noticed was in the wrong album.
When I saw this I thought I should log in again to reset my one year ticker. Off to www.yahoo.com and click sign in.
Enter userid, enter password.
Drops me to a CAPTCHA screen, that's odd, never seen that before, but ok.
Enter CAPTCHA and it redirects me to "https://edit.yahoo.com/forgot", which when reached from said CAPTCHA screen renders as a 100% blank page.
That's some fine web coding.
I went to the flickr site, tried to log in. At least there it tells me my userid is in the process of being recycled. No option to recover.
Try creating a new account with the same userid, sorry, it's in use.
So as far as I can tell:
- The must be inactive for one year is BS, and/or logging into Flickr didn't count in my case.
- No notifications are sent, so if you're a person who is there for things like Yahoo groups and forwards your e-mail elsewhere you may be using the service in a way that generates no logs.
- There is no way to get an account back that is in the recycling phase, which is frankly stupid.
As a result Yahoo! has lost a Flickr and Groups member, and I'm not sure I see any reason to sign up again at this point.
Alec . . . I'll take "I don"t use Yahoo because of Yahoo 's" for a 100 please.
I've got to apologize publicly to Yahoo! here as part of my issue was my own stupidity. It appears in the past I've had multiple Yahoo! ID's and I was trying to use the wrong one, one that may have gone away a long time ago, rather than my still active ID. Some helpful people at Yahoo got me straightened out on that point. My apologies for disparaging Yahoo! when it was my own fault.
There's still the much more minor point that when I tried to "self serve" I ended up at a blank page on the Yahoo! web site, hopefully they will figure that out as well.
I'm continually amazed at the number of web designers that don't test
their pages with NoScript enabled. Just sayin'.
I've got to apologize publicly to Yahoo! here as part of my issue was my =
own stupidity. It appears in the past I've had multiple Yahoo! ID's and =
I was trying to use the wrong one, one that may have gone away a long =
time ago, rather than my still active ID. Some helpful people at Yahoo =
got me straightened out on that point. My apologies for disparaging =
Yahoo! when it was my own fault.
Error or not, the recycling problem's real. I find myself having received
some sales figures for a Jiffy Lube chain somewhere, and I have to assume
that there will be a lot of instances where set-and-forget users have
supplied their Yahoo address to business partners, financial institutions,
etc. and who will continue to send confidential mail to the recycled
address.
... JG
NoScript? That's some kind of antimalvirus thingy for Internet Explorer, right? I think I read something about that in the Website Design For Dimwits in 24 Hours book... 
I assume that you intended this for the list and not me directly, and that you haven't yet got around to reading "Things To Experience On The Internet, Volume 1: Sarcasm". 
In case it wasn't abundantly clear, my post was a shot at what often passes for "web developer" these days. I had hoped that "antimalvirus" would have been an indication that it was a joke, but I guess my sarcasm is rusty... I would hope that no one on this list is ignorant of both the failings of IE and of the existence of NoScript.
Noscript users are even less important than ie6 users. Welcome to
the long tail of irrelevance.
Mike
While perhaps likely I would use NoScript, the failure in question
happened with a bone stock, up to date Safari client with JavaScript
enabled. No ad-block or other software to interfear.
I've got to apologize publicly to Yahoo! here as part of my issue was my own stupidity. It appears in the past I've had multiple Yahoo! ID's and I was trying to use the wrong one, one that may have gone away a long time ago, rather than my still active ID. Some helpful people at Yahoo got me straightened out on that point. My apologies for disparaging Yahoo! when it was my own fault.
There's still the much more minor point that when I tried to "self serve" I ended up at a blank page on the Yahoo! web site, hopefully they will figure that out as well.
I surely hope so too. When I tried to get my old yahoo email account back (I have only ONE), and ended with the same empty page. Hope some yahoo people on this list listening. It is important to me I can get that email address back; some friends only know me by that address.
Lixia