back to article eBay slammed for daft post-hack password swap advice

eBay has been criticised for its advice to consumers on choosing a strong password in the wake of a megabreach that prompted it to tell millions of users to change their passwords. The online tat bazaar admitted on Wednesday that a database containing "eBay customers’ name, encrypted password, email address, physical address, …


This topic is closed for new posts.
  1. mark jacobs

    ebay's password policy ...

    ... doesn't allow spaces in your password! But it allows non-white space characters in it. So, I've set mine to G6^10aPPq9&£v$pil0¬ but I'm having trouble remembering it!

    1. J P

      Re: ebay's password policy ...

      Not to worry; as long as you've bookmarked this page you can always come back here to copy & paste it.

    2. John Bailey

      Re: ebay's password policy ...

      I find the best is something easy to type, and easy to remember.

      So mine is "***********".

      1. joeW

        Re: ebay's password policy ...

        > So mine is "***********"

        That's odd, all I can see is "hunter2" on my screen.

      2. Allan George Dyer Silver badge

        Re: ebay's password policy ...

        'So mine is "***********".'

        Have you stopped using all the sites that display your password in plaintext as you type it?

        1. jonathanb Silver badge

          Re: ebay's password policy ...

          Mine is ●●●●●●●●●●●●●●●.

    3. Mage Silver badge

      Re: ebay's password policy ...

      Write it in a little address book you never keep in same bag as a computing device.

      If you have an accident etc you'd want people to be able to access your computer & websites, so do note site, email, user name etc and tell someone trustworthy where you keep it.

      1. Crazy Operations Guy Silver badge

        Re: ebay's password policy ...

        I went a more secure route and stuck all my passwords in a KeePass file stored on a shared cloud drive with the password to the file on a piece of paper in a sealed envelope stored in my safe deposit box along with the deed to my house, wills (both regular and living) and some other very important documents. The key has been entrusted to my attorney.

        This way someone won't just stumble upon my password by rifling though papers (As kids are wont to do) and I can update my passwords in a matter of seconds while still allowing family and trusted persons to get to my data in case I am incapacitated.

        1. Anonymous Coward
          Anonymous Coward

          Re: ebay's password policy ...

          I do the same thing with one extra step (which maybe you're already doing)...

          Whilst not trying to promote security through obscurity, there's no doubt that obscurity does add one layer to some extent... and so I suggest renaming the KeePass file to give it an extension of anything other than the default. Call it a jpeg, or a .bin or whatever and at least if someone manages to hack in to your cloud drive and grab all the content, there's not a big neon sign flashing "KeePass file here!!"

          1. Crazy Operations Guy Silver badge

            Re: "One extra step"

            The people I would want to be able to access the file are barely technically literate enough to open the file, adding that extra step of figuring out which file to rename is just going to cause problems and delays. This is also why I only have two files on the shared device: The password database and a portable copy of KeePass. It becomes pretty obvious what the database file is. I did this so that if the KeePass project dies or the file format changes too much, they can still access the database without any trouble.

            Besides, I change all my passwords every 90 days (You get used to it after a while), if a attacker has the capability to crack the file in that little time, they wouldn't be stopped by a triviality like a changed file extension. I haven't done anything to get anyone with those kinds of resources to waste that much of them on me, of course they would just go the easy way and get an (illegal) court order from the FISC and get my data right form the source.

        2. ajcee

          Re: ebay's password policy ...

          Wow! You take the security on your eBay account pretty seriously! Kudos!


    4. Roland6 Silver badge

      Re: ebay's password policy ...

      >doesn't allow spaces in your password!

      Well it did until now. My old password contained space characters, but their new checker won't allow me to use them. Not sure of the real benefit of this specific change.

    5. DPWDC

      NO SPACES!?!?!

      So they want me to remember a different password, made up of random letters, numbers, symbols, and I'm not meant to use the same password on other sites...

      I was going to put "f*ck you ebay" as my password, but that was rejected... That's more secure than "reset1"!!!

      Angers me when companies like this make lives harder for a false sense of them doing their job... More so because we know it's a load of smoke and mirrors, but my grandmother doesn't...

      To be frank - if there was an option that just said "delete account" on the password change screen, I'd have been tempted.


    6. Anonymous Coward
      Anonymous Coward

      Re: ebay's password policy ...

      It does allow spaces, but not in certain combinations. For example, it does not allow "one fine day" but does allow "one fine1 day" or "1 2 3 Four Five Six".

      And funny, it says that "My #1 password" is a strong password...

  2. NoneSuch

    bestjetpilot is a crappy password.

    Be3tJetP1lot! is much better.

    1. Vladimir Plouzhnikov


      Ultimate strength!

      1. monkeyfish

        1337j3tP1l0t surely?

    2. Elmer Phud

      B0l1ck5 is it

  3. This post has been deleted by its author

    1. This post has been deleted by its author

      1. Chemist

        Re: Keepass...

        "There are a bunch of companies that won't allow you to cut'n'paste into the password field"

        Funny I'm having no trouble pasting a password into ebay using FF. I've had problems with other sites but the Crl-V usually works

        1. Anonymous Coward
          Anonymous Coward

          Re: Keepass...

          eBay is OK with pasting passwords like that, but ironically PayPal won't allow it!

          1. ScottME

            Re: Keepass...

            Odd - I've *always* pasted my Paypal password, which lives in KeePass; it's far too obscure to remember or type correctly.

          2. Alan Edwards

            Re: Keepass...

            > eBay is OK with pasting passwords like that, but ironically PayPal won't allow it!

            If you use KeePass you can get around that sort of thing. You can customise the AutoType function to produce anything you want.

            You need to work out what keypresses you need to get from the new password to the confirmation password, normally just Tab will do it.

            Use the password generator to get your new random password and put 'Auto-Type: {PASSWORD}{TAB}{PASSWORD}' (without the quotes) into the Notes field. Put the cursor in the first password field in the browser, go back to KeePass and do right-click/AutoType and it will fill in both password fields. The keyboard emulation gets around Cut/Paste blocking.

            This even works for changing the password at login when you're Remote Desktopped into a Windows server.

            Remember to clear the Auto-Type command from the notes field when you're done.

      2. Anonymous Coward
        Anonymous Coward

        Re: Keepass...

        Problem solved:

        Unique password for every site, and very secure as it's all done in a conveniently portable piece of hardware.

      3. Mike Wilson

        Re: Keepass...

        I had a long and fruitless conversation with PayPal's dim witted support people about exactly this password paste problem yesterday. No way am I going to type a 20 character gibberish password TWICE and have a faint hope of getting it right. So I type a shorter one instead. Well done half wits -- you REDUCED the security of my PayPal account. It took three e-mails for them to even understand the problem then they fell back on defending the status quo and repeatedly failed to answer my question "how does this improve security as you claim?". I'm tempted to bin my PayPal account but then I don't think I would be able to use eBay. And no matter how sordid eBay seems, life without it would be inconvenient.

        1. Mike Wilson

          Re: Keepass...

          In reply to my own whinge, here's how to change the PayPal password to something long and gibberish without having to retype the sucker:

          1. Anonymous Coward
            Anonymous Coward

            Re: Keepass...

            You can also use your browser's element inspector to edit the input field's default value

      4. Nicole D.

        ...can't cut and paste

        "....won't allow you to cut'n'paste into the password field, so stopping you using a password manager, in the interests of 'security'"

        Right. This is a stunningly stupid situation.

        Te change password form does not allow you to cut and paste, and to make the change, you have to type it twice, without being able to see what you're typing. So they're urging you to use a password that's complex and long, while at the same time inducing you to use one that's as simple and sort as possible.

        At some point it's no longer worth using the service.

        When I went to change my eBay (US) password, I found you can not cut and paste discovdered

    2. Piro

      Yeah, I use KeepAss, just updated ebay with a 20 character (maximum the field allows!) randomly generated password with brackets, special characters and so on enabled.

  4. Alex Brett

    Shouldn't there be the obligatory reference to somewhere in this article?

    1. monkeyfish

      Far too long for most (all?) password fields for a start.

    2. ScottME

      That may have been reasonable advice at the time, but it's unlikely to be much good now.

      My current approach is to use a phrase or sentence then pick out individual letters to create a password. Not always the exact letter, not always the first letter.

      For example "Natxl,nat1l". As a bonus, I find such passwords relatively easy to remember.

  5. bitten
    Paris Hilton

    Combined words with uppercase are so safe where in lowercase are just weak and just remember replace e with 3 and i with 1 to make it much stronger

    1. John Gamble

      Re: Replace e with 3, etc.

      Might have been good advice ten years ago, but those rainbow tables can be generated with those variations too.

      Not to mention the users who never changed their supplied password from "Chang3M3" even after having been through password leaks themselves.

  6. Anonymous Coward
    Anonymous Coward

    Time for change

    I'd been pondering a password change session after Heartbleed, but decided yesterday after the eBay news that it was time to update them all.

    I use a 'root' collection of letters and numbers based on a phrase I can remember, plus a memorable date (NOT a birthday!), but also vary a section of the password (it may be at the start, in the middle, or at the end) based on the site name (eg. Amazon = AMA, eBay = EBA, The Register = REG) etc. That seems to tick all the boxes of non-dictionary, lengthly, complex, AND memorable.

    I used to include some form of non-alpha character in my passwords (eg. *&^%$£) but have come across enough sites that won't accept these that I've given up on that for now :-(

    It'll take me a few days to work through the majority of them, the obscure/occasional ones I might leave until I next visit the site.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time for change

      I use a 'root' collection of letters and numbers based on a phrase I can remember, plus a memorable date (NOT a birthday!), but also vary a section of the password (it may be at the start, in the middle, or at the end) based on the site name (eg. Amazon = AMA, eBay = EBA, The Register = REG) etc. That seems to tick all the boxes of non-dictionary, lengthly, complex, AND memorable.

      And here I thought I was the only one who did this. Nothing new under the sun I suppose!

      The other thing I do is I have a number of password-like phrases with lower/upper alphas, numbers, and punctuation tossed in and assign a name for each. Then I can build new passwords by picking two or three of the chunks and concatenating them. So I have unique passwords for each site but I don't have to remember 150 different passwords or use a password safe.

      The WORST password requirements I have ever come across are two:

      1. When my 401K provider at the time first setup their online system (early 2000s), passwords were limited to being no longer than *6* characters, alphanumerics only. They eventually got a clue.

      2. One of my creidt card sites allowed numbers and lower case letters ONLY (I'm not kidding, it specifically stated that uppercase letters would be lowercased.) The only thing that kept me from rage-cancelling my account at that point was that the maximum length was 32 characters so it was still possible to make a strong password. They also have since gotten a clue.

  7. Anonymous Coward
    Anonymous Coward


    It's small, would only be part of the password update page, and explains exactly how it calculates your password's strength.

  8. BubbaGump

    Typical American Business. Incur a major problem, hide it as long as possible, start thinking about plausible deniability and damage control, get caught or are forced to come out of hiding, down play the issue, indicate that you have been reborn from the experience and are now there to help. Crying is a nice touch. If all else fails, someone then needs to resign. Why did eBay wait so long to inform its users? Look at what Target did at Xmas. That was certainly a dodge for business purposes. Look at the massive recalls from GM and Toyota for issues they had long known to exist. Sometimes I wonder what would happen if companies simply stepped up to the plate and did the right thing, in a timely manner, if it would not greatly reduce the collateral damage and in the long run improve their business.

  9. Pete Spicer

    Did they actually send out emails, because if they did I still haven't had one... (and yes, checked junk folders etc.)

  10. DropBear Silver badge

    Well, if you want to test your password....

    ...there's always that site recommended by that crazy Aussie bloke...

  11. Anonymous Coward


    I love how LastPass has a special function to assess your passwords and givers you a score based on how many times you use the same password, the strength of the password and so on. It also looks at your accounts to tell you if and when you should change your password after the heartbleed fiasco.

    Yup, I like LastPass, even if the interface sucks.

  12. Anthony 13

    Someone please enlighten me...

    ... what exactly does a 'strong' password (as defined here) protect you from? This is a serious question - I just don't understand this "password long, symbols, numbers not a word" mantra. It just forces the user to write things down, store it elsewhere, reset it all of the time, etc.

    - If the password isn't encrypted, it doesn't matter how complex it is.

    - If the password is able to be decrypted, it doesn't matter how complex it is.

    - If your encryption model depends on 'everyone' having an equally strong password - good luck with that - it won't matter how complex yours is.

    - If there is a key logger (video camera, machine compromised, whatever), it doesn't matter how complex it is.

    - If you are successfully phished, it doesn't matter how complex it is.

    - If you are re-using a compromised password, it doesn't matter how complex it is.

    - If someone is attempting a dictionary attack on your account, the security model 'should' stop the attack well before it can 'guess' the password, so it 'shouldn't' matter how complex it is.

    - Further to this, if someone is simply guessing your password, the above should also kick in - the 'obvious' password examples given aren't anymore obvious than a thousand other things...

    What am I missing?

    1. TRT Silver badge

      Re: Someone please enlighten me...

      Somethng incredibly complex.

    2. Old Handle

      Re: Someone please enlighten me...

      What you missing, I think, is how people go about "decrypting" passwords. You actually do it the other way, you encrypt your guesses until you find one that matches. You have to test the guesses one at a time, for each password. Never the less, this can be done frighteningly fast on consumer hardware. And that's where the difference between bestjetpilot and ju2*kG2#1f9p becomes important.

      Actually bestjetpilot was not in the one password list I looked at, but best and jetpilot certainly were. It's not really a terrible password, but hardly something to hold up as an ideal. Where as ju2*kG2#1f9p is just about impossible to guess. The only way would be to try every combination of symbols, which really would take hundreds of years.

      1. Anthony 13

        @Old Handle

        Thanks - yes, I was thinking it might be a hashing issue - though if encrypted and then hashed it must protect those simple passwords some more. I guess my own feeling is that a somewhat complex string of memorable words is still a safer bet for most people than storing a bunch of super duper complex forgettable passwords - but I am (clearly) no expert.

  13. Anonymous Coward

    Can't belive i'm this late to the comments and no XKCD

    1. Alan Gauton

      Re: Can't belive i'm this late to the comments and no XKCD

      There was - Alex Brett about 30 minutes before you....

  14. DJO Silver badge

    Password strength

    You would think a 16 character all upper case password would be weak, very weak. But look at the maths, before trying all 16 letter combinations a black hat would need to go through the 15s, 14s, 13s, 12s, etc down to perhaps 4 characters.

    There are 43,608,742,899,428,874,059,776 ways to arrange 16 upper case letters so even if the password was AAAAAAAAAAAAAAAA (pretty stupid huh?) the attacker would first need to eliminate all 1,677,259,342,285,725,925,376 15 letter combinations which at 1,000,000 attempts per second would take just over 53 million years. (and 2 million years for all 14 letter jobs and so on).

    Plainly this is not a problem one need worry about, the real dangers are social engineering and use of the same password for several purposes. Also anybody who writes a login which allows unlimited rapid password guesses should be taken out and shot.

    Having said all that there is no reason to ever use weak passwords and ones with real words like "bestjetpilot" can be found with dictionary attacks that utilize multiple words.

    The real danger is from hash list cracks where if the hash method is known it's easy (if time consuming) to build a database where you generate millions of hashes and store every unique hash and it's progenitor password. Then if your black hat gets a stolen list of hashes all he need do is look up in the database for a match, the password will probably not be correct but if it makes the same hash it will be accepted.

    1. Mage Silver badge

      Re: Password strength

      A password Cracking program doesn't try all shorter than 16 letter combinations 1st.

      It check all the words in dictionary and Celebrity names.

      Pairs and triplets.

      Versions with letters replaced by visually similar numbers

      Versions of all above with various prefix and suffix numbers.

      Probably alphabetic sequential and keyboard layout sequential such as ABCDE and QWERT

      This all very much less than testing EVERY possibility and gets the majority of passwords quickly.

      (No I've not done this, I'm sure a regular miscreant though will do it well).

      I do let Firefox remember non-critical passwords. I wouldn't trust anything involving money to any password manager.

      I do write them ALL down in a safe place with user name, site name and email used. Whoever survives me may need them.

      1. DJO Silver badge

        Re: Password strength

        It check all the words in dictionary and Celebrity names.

        Pairs and triplets.

        all the words in the dictionary? quickly? Maths again I'm afraid, my spellcheck dictionary has over 100,000 words but let's say a password centric dictionary has just 20,000 words that gives 8,000,000,000,000 triplets and 400,000,000 pairs but it's worse than that as each word needs an all caps, all lower case and lower case with a starting cap versions, then number prefixes and suffixes means for just that lot at 1,000,000 guesses a second would take about 15 years.

        To have any chance of working in a reasonable timeframe you'd want to limit the dictionary to 2,000 to 3,000 words max (2 to 7 hours using the same assumptions). So that's a few hundred celebrities, a couple of hundred common names, stuff likes signs of the zodiac, towns and cities, names of sports teams, lots of swearwords and that leaves space for about 1,000 to 1,500 common words. With a little common sense it should be trivial to think of a password that's reasonably resistant to dictionary attack. It helps if you can't spell properley (sic).

        A dictionary attack might want to try substituting zeros for O's ones for l's etc - I couldn't be bothered to work out what proportion of words on average have letters suitable for substitution but I'd imagine it would probably double the time taken.

        Really unless you use a really stupid short password the chances of it being guessed are pretty slim, after stupidity the dangers are mainly:

        1) social engineering where you are coerced probably unknowingly to disclose your password or reveal enough for someone to make a good guess.

        2) multiple use of the same or similar passwords for disparate purposes.

        3) theft of login database contents.

        As for writing the passwords down, yes absolutely, if someone has gained access to wherever you keep them then your passwords are probably the least of your worries.

    2. Old Handle

      Re: Password strength

      You had a good point, but then kind of ruined it by claiming an attacker would "have" to go through every combination from A to ZZZZZZZZZZZZZZZ before trying AAAAAAAAAAAAAAAA. They won't do it that way, because AAAAAAAAAAAAAAAA will be in their password dictionary. A 16 character, all capital letter password would be as strong as you say only if it was random, or at least meaningful only to the creator (like the initials of their best friends or something).

    3. Mpeler

      Re: Password strength

      Just out of orneryness I'd like to make a password


      so that after 53 million (or BEEELLIONTM ) years the hacker would know what I thought of them....

      Of course, after that time, the computing platform may well have disappeared, as a result of a RealTimeTM Wolf-Rayet star having gone BANG! nearby...

      (Apologies to CAMRA...heyyyyyy, where's my ale??????)...

  15. bex

    I noticed that I got lastpass to generate one, it's random 12 characters mixed upper/lower case and numbers and only medium says 25 thousand years to crack so maybe I will be OK.

  16. Richard Parkin


    Just use 1Password.

    1. IglooDude

      Re: 1Password

      I dunno, it's got a number, a capital letter, and a bunch of lower-case, but my gut tells me 1Password is actually a fairly week password.

  17. Crazy Operations Guy Silver badge

    Preventing certain characters is the most annoying thing ever.

    In a properly implemented system there is no reason to prevent the use of any characters in a password. The password should just be pushed right into the hashing algorithm and converted to hex right away.

    I suspect that a lot of bad passwords are created because of weird draconian restrictions like 8-16 upper or lower case letters only.

    I used to use various Unix and SQL commands as my passwords as they were easy to remember, sufficiently complex and would be very hard to pick out via key logger.

  18. A. Coatsworth Silver badge
    IT Angle


    A couple of people mentioned that, already famous, comic.

    As I'm not in the least a security expert, I need to honestly ask: is that a good or a bad advice? At first I thought it sounded reasonable enough, but the tooltip gives a vibe of irony... so it's a good or a bad idea to apply that generation algorithm in the real world?


    1. Old Handle

      Re: About

      It's reasonably good advice. I think he underestimated the entropy of Tr0ub4dor&3 somewhat. And 1000 guesses per second scenario is kind of strange. But the basic point stand.

    2. ScottME

      Re: About

      It's less good advice today than it might have been when it was first published in 2011. Last year, 2013, Bruce Schneier, who is consistently pretty damn good on security, posted this article, pointing to a "Really Good Article on How Easy it Is to Crack Passwords" which casts serious doubt on the continued usefulness of the XKCD approach, and he (BS) recommends instead using an approach he first described in 2008. I suspect he's right.

      1. robmobz

        Re: About

        The XKCD method is just diceware. The number of words used is a bit low but the theory is sound. The current recommendation is at least 6 words.

        (see )

    3. Bjorg

      Re: About

      From a technical standpoing it's terrible, downright stupid advice. "correct" "horse" "battery" and "staple" are all extremely common words (well within top 5000 or so according to the various sources I found via Google). Using a top 5000 word dictionary you could crack passwords like this in days.

      When I saw that comic I couldn't tell if he was serious or trolling, and most of his cult following seemed to be on the fence as well. But the advice is definitely wrong.

      That being said, like someone else mentioned, just tacking on a few more words would make it much stronger. And like a lot of people have stated on this forum, you usually don't need to worry about someone cracking your password as much as accidentally handing it to them.

  19. Anonymous Coward
    Anonymous Coward

    password123456 is bad?

    Oh great, now I need to update my web site's password change screen *again*.

    $badpass = arrray(


    ) // Last update: May 22, 2014: boss sez 123456 no good too

    1. monkeyfish

      Re: password123456 is bad?

      It's ok though, password1234567 is still hacker-proof.

  20. Paul Hovnanian Silver badge

    Damn! They found my password. Now I'll have to change my dog's name.

  21. Anonymous Coward
    Anonymous Coward

    Re. password

    I usually use alpha-numerics.

    For example my Ebay, Paypal AND email are set to the same one for ease of access, and so is my "goat" account to detect if someone has compromised any of the others.

    A good one to use is hex/date hex/date hex/date ie AF1776BC2063 of course 1776 is the signing of the US Constitution and 2063 is the date of "First Contact" in the Trek Universe.

    Substitute your own variants here, remember folks dictionary searches are the most common type of compromise.

    I also read somewhere that teams of scammers working from home (often unwittingly via proxy) are being used to break CAPTCHAs 4 hours a day.

  22. Allan George Dyer Silver badge

    World Password Day website

    It seems that a length of 14 alone, e.g. '11111111111111', will get rated as Strong, but to get Best you need a lower case letter, upper case letter, number and special character, e.g. 'bT@11111111111' or ''. I wonder if anyone decided to use their email address as their password on this website's advice?

  23. Truth4u

    password scoring software

    just google your password, if you get results its not that secret is it.

    1. Martin

      Re: password scoring software

      Therefore, telling Google your password - why not?

  24. monkeyfish


    Why don't they let you see the password instead of the ******? A check box to see it would be handy, since most of the time I'm at home with no one looking over my shoulder, and most passwords are hijacked remotely.

    My advice to anyone having difficultly remembering passwords is to have them written in a book next to the computer. Seriously, if someone is sat in your house in front of your computer all bets are off anyway. Obviously this advice does not extend to keeping that book in a laptop bag or your pocket... But most of the time people are sat in their houses online, even if they are using a laptop/tablet.

  25. Paul Coddington

    eBay password reset form is defective

    The password reset form that eBay currently uses does not allow cut and paste of passwords from a password manager, discouraging the use of complex, long and cryptic passwords.

    It also mistakes non-alpha characters as "whitespace", limiting you to letters and numbers.

    So, if you change your password, you may be forced to choose a less secure one than you had before.

    To top it off, you can't change your email address to one that has your name in it (that must be good for discouraging fraudsters) and you can no longer link to PayPal (I suspect because PayPal has moved all non-US customers to country-specific sites and eBay is hardcoded to the US one).

    These problems have been apparent for years, but eBay has no interest in fixing them.

  26. Alan Ferris

    Book of passwords on my desk

    No-one has mentioned Roboform - generates random passwords like 9qQWqNflgU^KP@qp , stores them on the PC and protects them with a single master password.

    Provided the master password is good, is that not safe enough?

  27. sisk Silver badge


    Personally I frequently run into 'password too long' errors when making new passwords for places that have my financial information. Some places really don't like 50 character passwords.

    Passwords that are truly random mixes of numbers, upper and lower case letters and symbols are hard for humans to remember but relatively easy for computers to guess. That being the case I tend more towards mnemonically friendly nonsensical phrases written in 13375p34k. I end up with passwords that even my wife couldn't guess and that would take millennia to brute force but which I can easily remember.

  28. chrissygirl6218
    Thumb Up

    I have an issue with the fact that we have to go through this rigmarole every 90 days! Bye ebay!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019