4 comments

[ 3.9 ms ] story [ 24.6 ms ] thread
I love it how they even include a link to info over their hack together with their "homeopathic" "security" measures.

It really disappoints me that Ebay are this clueless, and it's making me worry about PayPal..

While this sounds stupid if you're using a password manager with very complicated passwords, 99.99% of ebay users are probably random moms with very simple passwords. Making sure they don't copy/paste something wrong must really cut the number of support requests.
I think most of us understand the motivation.

The problem isn't really that they're inconveniencing "expert" users with a 'one size fits all' approach.

The problem is that they recognize a possible security concern and then, rather than pushing for the root cause of that concern to be fixed, they simply try to work around this particular concern. Their workaround inevitably creates new security risks, or makes more effective solutions harder.

It's just like with passwords. Organization A sees a risk in passwords being brute-forced. So, they require users have [a-zA-Z0-9] passwords. But their standard MD5 password hashing is still too fast. So they require users to change their password every 30 days. Problem solved! Except that now, users are very unlikely to consistently remember their password, meaning lots of password post-its on desks, and lots of support calls. Now they're completely vulnerable to simple physical attacks (deliver flowers to the office -> get some passwords) and social engineering attacks (frequent forgotten password calls -> easier to convince support you're a legitimate user who forgot their password). Insanity.

Why are so many web developers such morons?

So many websites have arbitrary restrictions on what can be a password?

eBay have handled this breach poorly, and I hope the suffer, so that in the future they and other organisations will handle these situations better