A rant, and a question (the question's at the end)
Apologies for the rant, it's an almost direct c/p of my arsebook post on the subject, but the question at the end is likely to be answered relevently by folks here. (I notice Robin Szemeti above has noticed this too.)
Several points against ebay here. Their backend database got 'hacked' [read: we left the keys on the hall table]. This much is public knowledge.
So I go to change my password as recommended. Nope. No such user, followed by several variants of 'this page is experiencing extreme load' and 'this page not found' and 'no such email in database'
So I go to chat to customer disservices using their live chat. Unavailable, despite being in working hours, california time.
SO I get pissed, and send them a web form based Shit-O-Gram telling them to bloody well fix their ebay password change page NOW as they've just bloody asked everyone to use it.
I immediately get an email response with some utterly unrelated drivel that was barely literate, referring to paypal password problems. So naturally I replied to it with a "read your goddamned missives rather than sending algorithm matched shite". Only to get a bounce message saying 'this email account is not monitored'. So don't fscking HAVE IT then, what the hell is the point of an email address that doesn't work?
Eventually after much use of F5 and other F words, I get to the 'reset your password' link, and try to reset it. Only to get an offer to send me a PIN. By Text. To A FSCKING LANDLINE NUMBER. *HEADDESK*
I chose the more sensible option: Email me a reset link. Here they scored a minor plus: The reset email, which arrived almost instantly and was in my set 'plain text' format, told me to c/p the link to the address bar, encouraging me NOT to click links in email. Good advice. Credit where it's due.
However, the system then accepted my new password, but would not allow me to sign in with it.
So I hit reset AGAIN. And here begins the section with the query, I'd be pleased to hear you commentards' input on this: It then refused to let me use that same new password again, as I'd previously used it.
This to me says there's a problem: One of the following.
1. They're storing unencrypted passwords (not likely for such a large company, that's a rookie mistake),
2. They're storing encrypted passwords, not the hashes, bad practice.
3. They're storing unsalted hashes.
4. They're salting the hashes with the SAME salt, thus rendering it useless.
The questions are 2fold. 1, is my analysis above basically correct (I would LOVE some input on my understanding of hashing algorithms), and 2, am I right that this is a major security flaw?
I won't even go into the rant about 'your password must contain 2 lowercase, 2 numbers, 2 symbols, 2 uppercase, the blood of a virgin, 2 bits of first kingdom hieroglyphics BUT NO SPACES' crap.