News Analysis

eBay FAIL gets even more fail-y, with failworthy password advice

fail-train.jpg

Auction site adds more fail cars to fail train.

eBay (NASDAQ:EBAY) is coming under mounting criticism for its reaction to its loss of users' passwords and other private info. Or, rather, its lack of reaction.

Not only that, but the password advice it's giving users seems slightly stupid.

In IT Blogwatch, bloggers spot the choo-choo to Failtown.

Your humble blogwatcher curated these bloggy bits for your entertainment.

 

First, in case you've been living under a news-blocking rock, here's Loek Essers:

Attackers gained unauthorized access to eBay's corporate network, compromising a database containing...customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.

It would be wise for users change their passwords, the company said. "Changing passwords is a best practice and will help enhance security for eBay users," eBay said, adding that it regrets any inconvenience.  MORE

 

But John Leyden is jarred awake by the detail in that advice:

The online tat bazaar [gave] examples of what constitutes a "good, secure password"...includ[ing] $uperman1963 [and] bestjetpilot. [But] attempts to change passwords to “bestjetpilot” are rejected as invalid.

Advising on what is...a strong password is perhaps trickier than it might seem. For example, the World Password Day website ‬featured a password strength meter that rated “password123456” as strong.  MORE

 

G'day, Troy Hunt. I see you're not inside a horse: [You're fired -Ed.]

What did eBay do wrong? [It] took a long time to detect the intrusion – two or three months by the look of it.

At least it’s easy to change the password to a secure one, right? ... I try this one: ,83eQYr$m76H>ojqj[Em ... Apparently it’s just a medium strength. ... eBay has some work to do with how it communicates and implements passwords.

Let us also not lose sight of the magnitude of what we’re talking about here: eBay is making it possible for two and a half billion...people to browse through over 100 million items in an online store. [It's] an enormous engineering feat that we often forget as the technology becomes so mainstream. ... The question is not whether they can stop this from happening again, but whether their [security] measures were “reasonable.”  MORE

 

Meanwhile, "Disaster tourist, nuclear physics nerd, devil with a plasma torch, semi-professional hedgehog herder, hypomanic pixie dream girl, and adjunct professor" Aloria puts herself in a real user's position:

It's a good thing I'm finding out about this eBay breach on twitter rather than, you know, getting notified by the company.  MORE

 

And Jim Kennedy agrees:

Why hasn't eBay notified their customers yet?

They send ads all the time so we know they have email.  MORE

Computerworld Blogs Newsletter

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.  

Related:

Copyright © 2014 IDG Communications, Inc.

Shop Tech Products at Amazon