back to article New XSS vuln hits eBay as rubbish passw0rds persist

eBay punters rushing to secure accounts could be selecting the world's worst passwords after the online tat bazaar was found accepting the most common and weakest passwords in contravention to its stated policy. eBay has been slowly asking its users to reset account passwords after it admitted last week that unknown criminals …

COMMENTS

This topic is closed for new posts.
  1. silent_count

    Is it just me...

    ... who finds it curious that ebay is being all cagey about their "proprietary" hashing algorithm? I suspect they're trying to hide behind "proprietary" so that hopefully (from their perspective) nobody discovers that their hashing routine is just as crap as their ability to securely handle their other customer info.

    1. John H Woods Silver badge

      Re: Is it just me...

      Indeed - the very first thing you learn when you start to understand cryptographic techniques is that you will never* be good enough to roll your own.

      *obviously there's always a slim chance that you are a maths genius in their twenties, and maybe you will have a contribution to make in a decade or two

    2. Sir Alien

      Re: Is it just me...

      Or "proprietary" is simply another term for "we don't want to admit storing plain text/weak passwords"

      I know of one game company that will not accept any non-alpha numeric characters in their passwords which seems to raise the suspicions of them storing plain text.

      SA

      1. Steve Graham

        Re: Is it just me...

        ...plus a limit of 20-characters is unneccessary unless you're actually storing them for your millions of customers.

        Another worry about "proprietary" implementations is that when I changed my password on PayPal (also 20-chars max) and used a character outside the 7-bit ASCII range, I was told that I could not have "an accent" in my password. Actually it was a symbol, but a hashing algorithm shouldn't care, right?

    3. Anonymous Coward
      Anonymous Coward

      Re: Is it just me...

      One wonders if a FOI request would be enough to compel them to reveal their encryption/hashing system????

      1. James Gwinnett

        Re: Is it just me...

        ebay isn't a government department so they'd laugh at your FOI request and file it with the rest of the emails they don't care about - say, in their general customer support inbox.

  2. Destroy All Monsters Silver badge
    Thumb Down

    Coder Kidz writing code under supervision of Suits ...

    ....then both falling down stairs.

    We need a "Film at 11" icon.

  3. The Dark Lord

    eBay PR

    Based on the tweet exchange I had with them, I'm not sure whether eBay's staffers would pass a Turing Test.

    They seemed unable to cope with the notion that the security of the user database was not dependent upon the newness of passwords contained therein, just kept repeating the "it's important for security to change your password" mantra.

    Clearly, we can only assume that eBay itself has no confidence in the encryption mechanism used to store users' passwords. One could hope that the ICO will use this as an opportunity to gain some tax receipts from an obfuscated multinational, but I doubt that they have even the strength of will to achieve that, much less be a force for change in the security landscape.

  4. Pascal Monett Silver badge

    A half-million in fines ? Who cares ?

    The real hit is going to be in consumer confidence. Hopefully it will cost them a lot more than that.

    1. Crazy Operations Guy

      Re: A half-million in fines ? Who cares ?

      Most consumers are idiots (especially on eBay) they'll forget about this the second a celebrity does something (such as saying something stupid or even just existing).

  5. Anonymous Coward
    Anonymous Coward

    "The company could face fines of up to £500,000 from the Information Commissioner's Office."

    But we all know bloody well it won't - a stern word of admonishment is about as tough as its likely to get. Fines far bigger than 500k should be automatic for companies of Ebay's size who are caught storing customer details unencrypted. There really is no excuse at all not to.

  6. Anonymous Coward
    Anonymous Coward

    eBay and password problems

    I changed my password a few months ago, before the latest eBay security crises, when I noticed that it wasn't case sensitive, i.e. I could type my password in capitals, lower-case or any combination of both and still successfully login. What's up with that?!?!

    1. Mad Chaz

      Re: eBay and password problems

      It's called a crapy `all case the same` plain text comparison.

      In other words, they don't encrypt passwords or they don't do it right.

      1. Anonymous Coward
        Anonymous Coward

        Re: eBay and password problems

        or they know the average IQ of their users and realise the number of complaints they'd get because users had inadvertently got caps-lock on.

        So the passwords are stored and compared as:

        hash( strtolower( $password ) )

        (or equivalent)

  7. Donut4000
    WTF?

    20 char limit?

    That's weird - when I changed my eBay password last week after the snafu, I used the password generator in 1Password to produce a 50 char alpha-numeric and non-pronouncable string that was accepted without fuss. I see from the articles screen grab that indeed 20 characters is a no-no.

    1. Sir Alien

      Re: 20 char limit?

      Who knows... maybe they simply truncate your password so when it gets spat out the other end it is only 10 characters. And then someone accidentally took that feature out and BAM, error.

      ICO probably like most say, will do nothing about it yet strange thing is the little guy in the same position would be in prison, fined a million pounds and lashed in public (ok the last one is a bit of drama added)

      1. Anonymous Coward
        Anonymous Coward

        Re: 20 char limit?

        It amazes me the number of sites that make no mention of what their rules on password length and allowed character types actually are, leaving you to guess. The 'better' version at least tells you its too long or only alpha numerics are allowed, far too many allow it, then lock you out.

        The variety MS uses on Onedrive suggests using letter and numbers up to 16 chars, then calls your randomised password crap whatever it is. But it does actually allow symbols (I suppose it might strip them) but still won't rate your password any better if it has them.

        Smaller sites seem to be much better at laying out their policy explicitly, but only a fraction of large ones get it right. Not exactly taxing to get someone to spend an hour writing it out, is it?

  8. Busby

    Why aren't the ICO fines capped on a per user basis. Say at 10k per user and if you really mess up that is the maximum you would face. At least then these massive corps may take security seriously.

    Unless the fine is set per user/customer exposed then Ebay Google etal can afford to ignore security safe in the knowledge any fine will be peanuts

  9. Crazy Operations Guy

    So many stupid pssword restrictions.

    A proper hashing algorithm is just going to digest the password and turn it into a fixed-length string of hex characters. It shouldn't matter what or how much you cram into the password field. The hashing algorithm should just see the password as a series of bits, nothing more.

    Whenever I see restrictions like this, it just screams "here be exploits!" and far too many times I find that the site is vulnerable to even the simplest of SQL injection attacks.

  10. TopOnePercent
    Thumb Down

    ICO are worthless

    They're just a tick box exercise so the government have delegated responsibility to someone.

    I've had various arms of the public sector wilfully breach the DPA in the past, and when reported to the ICO, they simply laughed it off. "We've written to <insert hopeless gov dept here> and reminded them of their responsibilities under the DPA".... well, yeah, but I'd already done that prior to raising the complaint.

    The only way the DPA will be taken seriously is with large mandatory penalties and enforced dismissals of those responsible. Anything else is tinkering around the edges of a system that doesn't work.

    1. Michael Dunn

      Re: ICO are worthless

      The enforced dismissals is the clincher; responsibility doesn't stop at the clerk/office worker actually making the mistake, they have supervisors and setters of security policy.

      A local authority justt laughs at a fine: therre are plenty of taxpayers! Start sacking officers and managers, and you could 'concentrate their minds.'

This topic is closed for new posts.

Other stories you might like