While this sounds stupid if you're using a password manager with very complicated passwords, 99.99% of ebay users are probably random moms with very simple passwords. Making sure they don't copy/paste something wrong must really cut the number of support requests.
The problem isn't really that they're inconveniencing "expert" users with a 'one size fits all' approach.
The problem is that they recognize a possible security concern and then, rather than pushing for the root cause of that concern to be fixed, they simply try to work around this particular concern. Their workaround inevitably creates new security risks, or makes more effective solutions harder.
It's just like with passwords. Organization A sees a risk in passwords being brute-forced. So, they require users have [a-zA-Z0-9] passwords. But their standard MD5 password hashing is still too fast. So they require users to change their password every 30 days. Problem solved! Except that now, users are very unlikely to consistently remember their password, meaning lots of password post-its on desks, and lots of support calls. Now they're completely vulnerable to simple physical attacks (deliver flowers to the office -> get some passwords) and social engineering attacks (frequent forgotten password calls -> easier to convince support you're a legitimate user who forgot their password). Insanity.
4 comments
[ 3.9 ms ] story [ 24.6 ms ] threadIt really disappoints me that Ebay are this clueless, and it's making me worry about PayPal..
The problem isn't really that they're inconveniencing "expert" users with a 'one size fits all' approach.
The problem is that they recognize a possible security concern and then, rather than pushing for the root cause of that concern to be fixed, they simply try to work around this particular concern. Their workaround inevitably creates new security risks, or makes more effective solutions harder.
It's just like with passwords. Organization A sees a risk in passwords being brute-forced. So, they require users have [a-zA-Z0-9] passwords. But their standard MD5 password hashing is still too fast. So they require users to change their password every 30 days. Problem solved! Except that now, users are very unlikely to consistently remember their password, meaning lots of password post-its on desks, and lots of support calls. Now they're completely vulnerable to simple physical attacks (deliver flowers to the office -> get some passwords) and social engineering attacks (frequent forgotten password calls -> easier to convince support you're a legitimate user who forgot their password). Insanity.
So many websites have arbitrary restrictions on what can be a password?
eBay have handled this breach poorly, and I hope the suffer, so that in the future they and other organisations will handle these situations better