Ebay urges users to change passwords

Status
Not open for further replies.
Splendid security! A pleasure to do business with. A+++++.Would hack again.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information.
Click to expand...

Is there actually any more confidential personal information left?

The company said that the compromised employee log-in credentials were first detected about two weeks ago.
Click to expand...

Well thank you very much for telling me so soon.
 
Stumpokapow said:
You're quoting this, but you don't seem to understand what it means--by far the worst thing you can do for password security is to read a comic and then without understanding it, echo it mindlessly.
Click to expand...

I hate seeing this thing quoted.

This XKCD is actually giving horrible advice because even though the raw mathematical complexity is indeed higher simply by the number of characters, this is not really how passwords are cracked. The XKCD advice here is valid if all password crackers were dumb, brute force tools.

But most tools will use dictionary based brute force attacks that take advantage of the fact that most people will use dictionary words in their passwords and even account for letter substitutions.

So using simple dictionary based words to create passwords is a terrible idea; some of the worst advice that can possibly be given.

Arstechnica had a series of great articles on how passwords are really cracked: http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/3/ and http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
 
This finally made me sign up for lastpass.

After heartbleed + target + yahoo + kickstarter + adobe, I'm getting tired of manually changing my passwords and trying to come up with something secure.
 
ffs. I'm fed up of all these websites getting hacked and me having to change my password all the time.

I don't think it's going to get better either.
 
Holy hell. I was just asked to change my password on sourceforge. And they explicitly wanted me to create a new one. Email didn't state any attack though.
 
The site says it's backed up with all of the traffic right now so I can't sign in, but thanks for the heads up OP. I'll change it whenever I can.
 
Can't seem to change my password right now. Sucks too because there is some Game Boy stuff I'm trying to buy right now; seems kind of silly I can browse listings with no problem but I can't sign in or anything.
 
tmarques said:
Some "urging". No email here and nothing on their front page. How hard is it to email people?
Click to expand...

They've been getting a lot of criticism for not being open about it. The only mention on their website is hidden five clicks from the homepage and no warning emails to anyone. I got a prompt that I should change my password in the iOS app but that was it.
 
You'd have thought a site the size of eBay would offer two factor authentication by now.

Speaking of which, I recently enabled two factor on Paypal. I ran with it for a while, but randomly wouldn't get SMSs, which completely defeats the point. It only offers SMS rather than integrating with the Google Authenticator app.
 
entrement said:
They're not. Protect yourselves and get a password manager. Don't trust 3rd parties to protect your info.
Click to expand...

Oh i use lastpass, but this shit is ridiculous, these companies lose peoples information, open them up to stolen CC info and identity theft and don't even get a slap on the wrist.
 
entrement said:
They're not. Protect yourselves and get a password manager. Don't trust 3rd parties to protect your info.
Click to expand...

Pretty ridiculous there's nothing at this point to punish companies who don't give two shits about if they lose credit card info/personal data, or at least it seems like no one is using it
 
soooo force it? why is eBay asking users to do this. Require a pw change at login.
 
Apparently my eBay account doesn't exist anymore. I haven't used it in probably a year or more, but still, has that happened to anyone else? I can claim I've forgotten my username and it emails me what it is, but when I try to claim I forgot my password it doesn't recognize my account name or email as being valid.

I'll have to email them.

edit: Apparently I can't contact them without signing in, the fuck?

edit edit: I clicked on the password update at the top of the page, went through those steps, and now everything works and I'm able to login. I wonder what was up?
 
It prompted me to change my password right after I log in. I go through the thing and at the end it says:

Sorry! We're currently experiencing technical difficulties and are unable to complete the process at this time

fu
 
for people who use Lastpass and other password managers, what do you do when you're on the road, or on a pc where you cant download the PW manager and need to log in somewhere?
 
Daigoro said:
for people who use Lastpass and other password managers, what do you do when you're on the road, or on a pc where you cant download the PW manager and need to log in somewhere?
Click to expand...

With Lastpass, if you're just using the free version, you can still access your vault from your mobile to check on password. If you upgrade to premium (currently $12 a year) you can use the dedicated iOS/Android apps to integrate Lastpass into your mobile browsing.

Same with using a different PC. You don't need to install the browser plugins if you just need to know a password. As long as you can log into the Lastpass website, you can get into your password details there.

Pro-tip: If you use Lastpass, it's compatible with the Google Authenticator iOS/Android app for two factor login. That adds another layer of security to prevent people getting into your account.
 
Zulithe said:
Nope. Ebay only allows passwords of up to 20 characters.

ZING!
Click to expand...
This is not actually true - their pop-up text is wrong. The real limit seems to be 64 characters. I've been using a >30 character password for some time without issue (and no, they're not just silently dropping the extra characters).
 
SPE said:
With Lastpass, if you're just using the free version, you can still access your vault from your mobile to check on password. If you upgrade to premium (currently $12 a year) you can use the dedicated iOS/Android apps to integrate Lastpass into your mobile browsing.

Same with using a different PC. You don't need to install the browser plugins if you just need to know a password. As long as you can log into the Lastpass website, you can get into your password details there.

Pro-tip: If you use Lastpass, it's compatible with the Google Authenticator iOS/Android app for two factor login. That adds another layer of security to prevent people getting into your account.
Click to expand...

ok cool. thanks for the info.
 
Status
Not open for further replies.

Similar threads

UK considering charging Netflix users licence fee to support BBC
2 3
130
6K
Cyberpunkd replied
  • Locked
Elon Musk to act agaisn't Reddit users for banning X links
Business  2 3
124
7K
phranctoast replied
'X' changing how block function works - blocked users will be able to see your posts but not engage with them
43
2K
EverydayBeast replied
[UK] 'Unfair' to call parents into school to change nappies (diapers)
2
81
4K
Dr.Morris79 replied
Dead Internet Theory becoming more real every day: Meta to allow AI 'Users' on FB and Insta
28
2K
Wandering Leopard replied
Top Bottom