Why haven’t I blogged about Yahoo! already? Because it’s boring. Large company with lots of consumer personal data fails to take even barely adequate steps to protect that information. How is this news? There were two recorded data breaches every day in 2014 in the US alone, four every day (that we know about) worldwide. That count went up by 8% in 2015, and is already up 25% on last year as of the 13th of December. Yahoo did manage to set some kind of record for the number of records breached in a single incident, which is something, I suppose.
You just have to assume that anyone who holds your data will be breached and that they will turn out to have used inadequate encryption allowing your password to be compromised along with any other data they hold. There’s a good chance they’ll leak your card details as well, if they have them.
So what do you do?
Use a different password for every site. If you don’t do this, you deserve everything that happens to you. It’s not hard. Use a technique called “salting”.
Take a word you’ll remember, like “revolution”.
Capitalise and l33t-substitute it to satisfy stupid and wrong password complexity rules, so it becomes R3v0lut10n.
Now add the name of the website to the word, with a space or other character in between. You can muck about with the website name too, if you promise to remember what you did.
So your Yahoo password is R3v0lut10n.Yahoo! – not as good as a passphrase, but reasonably strong, certain to satisfy complexity rules, and easy to remember.
Your Facebook password is R3v0lut10n.Facebook. Easy, yes?
The point is that yes, a human being looking at the clear-text version of your passwords can guess how you’re composing them. But that’s not how most hacking works; they buy lists of username and password combinations and automatically fire them at common sites – they’re not specifically looking at the data case-by-case.
That’s step 1. If you want to be properly paranoid, you should also:
- Lie about your birthdate (choose a date you’ll remember, and don’t do this on government websites, obviously, or to make yourself appear old enough for things you shouldn’t be doing).
- Lie when asked for additional security information. Use a similar salting technique, so your mother’s maiden name for Yahoo is Yahoomother, your school is Yahooschool and so on. Go on, indulge yourself – use rude words.
- Get a credit card, with a low credit limit, and use it, and only that card, for all internet purchases. Don’t use it for anything else, and don’t ever use any other cards online.
- Wherever possible, use PayPal or Amazon payments rather than giving your card number to yet another merchant. Neither of these web giants is immune from breach, but at least they can afford to compensate you if it all goes wrong, and the fewer places have your card, the fewer points of failure there are.
- Never, ever, ever link your bank account to anything or use a debit card online. A credit card with a low limit gives you a stop loss, and (in the UK) you have additional protection against fraud. If someone breaches your bank account or your debit card, you will enter a whole new world of pain.
- Don’t store identity documentation, card numbers or passwords online. I know it’s tempting to keep a scan of your passport or driving licence in an email or an online folder so you can send it on to any the increasing number of idiot companies who think this is a clever way to
encourageprevent identity fraud, but imagine the fun when that email account is breached. If you have to send a scan of this sort, delete the scan from the sent email as soon as you can. And pray that the receiving company has good data hygiene. They won’t, but maybe the prayer will make you feel better.
It’s a shame you have to jump through all these hoops because internet companies continue to be (allegedly) criminally negligent, but that’s the bed we’ve made for ourselves to lie in.
Alternatively, of course, you could follow some excellent and timeless advice from 1985…https://www.youtube.com/watch?v=3FQktsKvXcg.
(all US data from ITRC; global data from BreachLevelIndex).
A bigger picture 
I like how we have to encrypt our own passwords!
Including the name of the website in the “salted” password does mean we can have a different password for each website, whilst giving us easy access, but as you say, it’s a little too easy for someone else to figure out our method if they see one password.
I have a bunch of memorable words floating around in my head that I can write down in shorthand to form part of a password. The next step is to encrypt the answers to the security questions, and make them different for each website, since Yahoo kindly handed them out in plain text.
I like your final suggestion though: “pray that the receiving company has good data hygiene. They won’t, but maybe the prayer will make you feel better.” I’ll think of a prayer after I’ve finished mentally encrypting, and locking myself out of, all of my accounts.