Article Lead Image

The danger of Yahoo’s new ‘on demand’ password feature

Whatever you do, don't lose your phone.


William Turton


Posted on Mar 16, 2015   Updated on May 29, 2021, 7:19 am CDT

In an age where digital security and privacy are slowly becoming nonexistent, Yahoo has a new way to make your accounts even less secure. 

That’s right, with Yahoo’s new “on demand” passwords, you completely ditch your password and replace it with a time-sensitive code that’s sent to your phone or tablet through an app or text message. It’s like two-step verification without the password step.

In other words, users of the “on demand” feature no longer enter their regular passwords. Instead, they simply enter the one-time code. 

Because the “on demand” code is only valid for a limited time, the system theoretically removes some of the dangers of having your login credentials stolen and used to hijack your account. It also eliminates the need to create a strong password that’s hard to remember—and the tendency to use passwords that are downright horrible.

There’s just one problem.

If your phone is lost or stolen, your Yahoo account is at risk. “On demand” passwords take the first, most crucial step out of two step verification: a strong password. Yahoo’s “on demand” passwords are intended to make logging into your accounts a little convenient, but you sacrifice security in the process.

Yahoo already offers one of the best ways to secure your accounts: Two-step verification, which requires both a password and a verification code, provides an extra layer protection if your password were compromised or if your mobile device wer stolen.

While “on demand” passwords may be a step back in securing your accounts, Yahoo is making strides in the other direction: email encryption. The company announced Monday work on a system that allows users to easily use end-to-end PGP encryption, one of the most sophisticated encryption methods, through a simple browser plugin. Yahoo says the plugin will debut in the fall.

Here’s a video of the plugin in action. On the left is the traditional process for setting up PGP encryption for your email:

H/T The Verge | Illustration by Max Fleishman

Share this article
*First Published: Mar 16, 2015, 7:13 pm CDT