OK, I love the "easy" questions. First off let me be succinct, all my computers get restarted when an issue pops-up. I've tried Incognito mode, Safe-mode in windows, IOs 15, iphone, ipad 4 and 5. Linux, Opera, Chrome, Safari, Firefox, Private browsing. I even tried opening it on my Powerbook 540c using OS 9 just for the heck of it.

Broke.

It sure does seen hopeless Mr Phil. Yes choices abound for another service. I just may. I really do respect you for trying to defend the situation; this company. Unless of course, your an underground mole of 'ole Mother hubbard.

In any event, I really don't "care" what it takes to fix due to the ridiculous amount of money this company makes and CAN invest into fixing it. Good luck on the defense.

@phillipremaker   This is not browser plug-ins, A/V or privacy protection. Have you missed the posts from ATTHelp saying this password issue is the result of "bad actors" attempting to log into people's accounts?  After 6 failed attempts Yahoo locks the account, thus triggering the need to "change" passwords in order to resync the account. 

They are (apparently) trying to block these people through IP address blocking, but for reasons that are not clear to me, it's been a month since they announced this and they've made no headway.  Not sure what they were doing between last October and the first week of June.  🙄

@tonydi I did miss that. Not a great practice to lock out an account under attack! That just punishes the innocent. How does Yahoo determine the login attempts since it's really a federated login from AT&T? Who is imposing the lock, AT&T or Yahoo?

@venemoux : I'm not defending the company, but part of my day job is managing federated logins and Oauth systems, so I know how deep the rabbit hole goes.

So, maybe I don't understand the problem. The problem *I* am talking about is that you get logged out and forced to log in again. 

The problem tonydi is talking about is that you get logged out and can't log in AT ALL until you change your password.

Which problem are we discussing? It may be better to start a fresh thread with a precise definition of the problem with examples.

Unfortunately, I have had both problems. Logged out for no reason, while logged in and reading my emails and unable to log in until I change my password. I have tried all the suggestions mentioned in this thread and continue to have these issues. For the past month, it sometimes happens all day, every day, then it might be ok for a few days or even a week, then it starts again. There does not seem to be any rhyme or reason to it. It may indeed be better to just change my (email address, as extremely painful as it may be.

I totally disagree that this isn't a great practice.  Lockouts after x number of failures is super common, used all over the Internet.  I'm sure you're aware that hackers can brute force thousands of password attempts per second.  Given the general tendency of users to come up with lousy passwords, these accounts would have given the "bad actors" almost immediate access to the accounts.  How else would you guard against that (and keep in mind that Yahoo/AT&T can't even seem to figure out how to ID the source of these attacks and put mitigation processes in place to stop them)?

Given how clueless any of the AT&T people here about this whole issue, it's hard to say for sure but my understanding is that Yahoo blocks the account.  That process is in place for regular yahoo.com email accounts as well.

Yes, there are two logout issues.....ones where the user opens the webpage and is faced with the message that they've had too many failed login attempts.  The other issue is "live" logouts, where the user is logged in and either sitting on the webpage or even actually interacting with the page.  The latter seems to be far less common but my feeling is that the same account protection processes are causing both.

@tonydi Lockout after failure is a vector for a denial of service attack, and is therefore a poor practice. "Thousands of password attempts per second" should blocked by rate limiting attempts and IP address blocking. This is what iCloud did after the Jennifer Lawrence attack.

But, I do see that this is the AT&T practice, which is unfortunate. That means I can lock anyone out of their account if I just know their email address. Booo!

You should only force a password change if someone from an unexpected location gets the right password and is denied after further verification. Locking out accounts due to brute force attacks is a bad practice.

Anyway, there are two separate issues, and should be diagnosed separately, even if they ultimately end up with the same root cause.

My main issue is that the clumsy, federated logins of AT&T (especially with the legacy domains) is full of pitfalls and things that some browser plugins may misinterpret as threats.

I'm certainly not ruling out a back end AT&T problem, but it would be best to approach AT&T with solid evidence. 

Unfortunately, I don't know the authentication architecture and haven't spend a lot of time reverse engineering it. 

However, if someone is attacking their accounts with password guesses, there's nothing they can do but change providers. That's why it is a bad design.

@phillipremaker   You make some good points and have convinced me to rescind the "great practice" statement.  I don't doubt that there are far better ways to approach this type of attack but looking at the history of Yahoo in particular, it's not a surprise that they lack best practices. 

Again, this presumes what ATTHelp is telling us about "bad actors" is true. The questions it brings up, like why did it take 7 months to discover this and, a month later why is it still happening when there are commonly available tools to stop it, makes it difficult for me to process.

From taking a cursory look through the sign in processes (and admittedly with just my unprofessional eyes), AT&T hands off the login procedure very quickly to Yahoo, like within a fraction of a second, and doesn't appear to be involved at all after that point. 

Maybe you could look at the process and see exactly what is going on.

@tonydi - I'm not an expert, but the basic idea is that AT&T generates a "session token" which is stored as a cookie, and Yahoo honors it.

I logged in at currently.att.net with my att.net id which is tied to an sbcglobal.net email. That process generated 20 att.net cookies, 14 yahoo.com cookies, and one mail.yahoo.com cookie. 9 are session cookies (2 yahoo, 7 att) and the expiration times of the rest range from 3 hours after I connected to the year 2072 (!). 

The 3 hour cookie for ATT is QuantumMetricSessionID, and the 3 hour Yahoo cookie is GUCS. 

I may start experimenting with deleting individual cookies and see what happens. 

It's far from simple - a lot of moving parts under the hood and it may vary depending on your account type. 

Suddenly being logged out seems weird, though. 

Ok, I wasn't really looking at stuff like the cookies, I was looking at the network traffic to see who was doing what and when.  I suppose the cookie generation could easily be done in the fraction of a second before Yahoo shows up.  Heck, there's more traffic with Google and Microsoft than with AT&T in the first second.  😁

Everyone, this problem has nothing to do with cookies, logging into "Currently.com", making sure to "keep logged in for 2 weeks" or anything else having to do with us or our PCs. This is 100% a failure of AT&T and/or Yahoo! mail. This is a mail server problem and AT&T couldn't care less. This problem is extremely widespread and is effecting thousands of users. I spent over 1/2 an hour on the phone with AT&T's Filipino "tech experts" and they had no idea what they were talking about. The only thing they said that was true is that this is AT&T's fault, not ours. But, it's been going on for quite a while now and AT&T has done nothing. It could even be something as slimy as making free email so annoying, so dysfunctional that we move to the paid version of their email. Don't do it, folks. Keep complaining until AT&T gets off its A $ $ and fixes this email disaster.