Yahoo-Voices-Hacked-450000-Passwords-Posted-Online-01Yahoo has started freeing up Yahoo IDs like emil@yahoo.com that have been inactive for at least 12 months so users like thisismythrowawayaccount@yahoo.com can finally get a useful email address. The company gave users just over a month to login if they hadn’t in the last year, and now it has launched a “wish list” for those interested in getting a new name.

Head to wishlist.yahoo.com and enter up to five usernames, in order of most wanted to least wanted. Then enter your current Yahoo email address. Hit the Submit button and you’re good to go.

When you’re done, you will get the following message:

If you’re first in line for a username, we’ll email you a link to claim it in mid-August, 2013. After that, you can add usernames to a watch list so you’re the first to know when they become available.

Curiously, you can fill out this form as many times as you want. It’s not clear if doing so will overwrite your last submission or not, but we’d guess that it probably does.

If your first choice isn’t available, Yahoo will work its way down your list. Next month, Yahoo will send out emails letting its users know which of their picks is available, with a link for claiming them within 48 hours.

To communicate to another site that a username has a new owner, Yahoo will allow them to “ask” for a new type of validation when sending an email to a specific user. The field, which can be requested via an email’s header is called “Require-Recipient-Valid-Since,” a new standard being published with the IETF.

Facebook helped Yahoo with this initiative, and here’s how the verification method will work with the social network:

If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.

Criminals will nevertheless look for ways to exploit this new header, but will probably mainly focus on sites that haven’t implemented it yet. Thankfully, even Yahoo expects that “a very small percentage” of its users had an active email address with the company that had a “short, sweet, and memorable” ID that could be re-used.

Source: TNW