After the breach: eBay’s flawed password reset leaves much to be desired

eBay has finally stopped burying its own advisory to change passwords following a major hack on its corporate network by adding an important password update to the top of its home page. Now, engineers should turn their attention to flaws on the site's password reset page that may prevent users from choosing passcodes that are truly hard to crack.

When strong is weak

Chief among the imperfections is eBay's meter that labels chosen passwords as "weak," "medium," or "strong" depending on their resistance to common cracking techniques. It showed "Stlk/v/FqSx"lireFTzidyS/m" (minus the beginning and ending quotation marks) as being weak, even though the password has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn't included any obvious dictionary or word list. (Thanks to @digininja for the example.) That means the only likely way to crack it is to employ a brute force technique in which an attacker tries every possible combination. The involved "keyspace"—that is, the number of possible combinations of a 25-character string with upper- and lower-case letters with special characters—is 8525, which is calculated by adding the number of possible letters (52) and the number of possible symbols (33) and raising the sum to the power of the password length (25).

It would take huge amounts of time and computation power to crack the password, and yet for some unexplained reason, eBay is telling users it's weak. The site's password meter similarly grades as weak the inversion, "m/SydizTFeril"xSqF/v/kltS", as well as smaller subsets. It also gave a "weak" mark to the password choices of "bEDl(<y|" and ">advice to eBay customers—as medium strength.

Read 3 remaining paragraphs | Comments