Yahoo wants to end your dependency on memorizing passwords — or creating crap ones that can be guessed or hacked — after it introduced a new “on-demand” system that sends a one-time password when you need to log in.
The new approach is designed to increase security and make your Yahoo account less hackable. In some ways it achieves that. Countless millions of people recycle memorable passwords across a number of services, including their email account. Not only are they usually fairly hackable in nature (randomized passwords are preferred), but they’re inherently insecure because, if/when cracked, they open large parts of your digital identity, or your entire online presence.
On-demand passwords, which are not usable after you’ve logged in, are designed to remove that password-chain/ potential domino effect because they are specific to your Yahoo account. But, there’s one fairly major caveat: if you lose your phone, the person in possession of it has a ticket into your email.
In some cases, if you get SMS notifications on your lock-screen, the on-demand password will show up even if your phone is locked. So, if you lose it, the person who picks it up doesn’t even need to know your passcode to get into your Yahoo account once they know your ID.