Ebay "Change passwords"

Just been on the news that Ebay has been hacked , everyone been told to change passwords

I also checked on Ebay and they are also advising to "change passwords" as soon a possible

Spruce

 

its a bit late aint it????

 

So that explains why ebayers from Syria have been beating me to all the bargains!

 

I can't,i don't have any account

 

I can't understand the need to change passwords. They can't, surely, be storing any passwords? Only poxy sites do that ...

If in doubt, about the security of a site, ask for a "password reminder". If you get an email with your original password then the site has a weak password system, and your password is stored, somewhere, in plain text and is at risk from a hack-attack. It would be easy to say "avoid sites like that" but you probably still want to shop there ... You could have one "regular" password for all such sites (ones which don't store your credit card details) and then separate, different, passwords for all the ones that do (banks, paypal, amazon, etc.) Write the passwords on a piece of paper and stick it to your screen - I am being serious! - there was an article that said that the chance of your house being broken into AND the burglar being interested in your passwords is far less than the supplier's servers being hacked!!

However, if the password reminder you get is a one-time-use random-letter password then the site is using a secure password system - so called "Salt and Hash". Basically they don't store your password at all, they put your password through some mangling mathematical algorithm and then store the result of that number. So when you login again they mangle the password you typed again, check against the mangled number they stored when you registered, and if they match you are in. If someone steals the mangled numbers file it is impossible to reverse engineer the passwords. (The Salt part is an additional trick to stop two people with the same mangled number actually having the same password, so you cannot guess one and then use that to access everyone else's account who also used "Password1" as their password!

I'm sure everyone here is either nerdy enough to know what I am talking about, and not need a link to more info ... or is NOT nerdy enough to be interested!!

Here's the links anyway

http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/Salt_(cryptography)

Anyway, be weary of any site that sends you your original password in any password-reminder email. Most especially if they actually store your credit card details (e.g. allow you to re-order without re-entering your card details)

 

Here we go - today's Telegraph:

"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth," said the company"

Can't see why I need to change my password then.

Plus ... the hack attack was 3 months ago ... either we needed to know much sooner, or there isn't a thread (I'm sure people are outraged, but their Name, Date of birth, etc. are easy for anyone to get, if they want them badly enough.

 

So, shutting the stable door when the horse has emigrated to Mongolia if it so wished?

I changed mine this morning, think I've forgotten it already.

 

I haven't had a password-change-request email. I just can;t see that a) it is needed b) it would make any difference. I don't believe eBay store their passwords in a way that would allow them to be stolen ... so if my Name, DoB, EMail etc. has been stolen changing my password will make no difference ... and all that info is available in public domain to anyone who wants it anyway.

Slow news day, or someone angry with eBay for some reason or other ...

 

Switch the blummin' thing off and go to bed, Our Mandy!

 

What gets me is sites (where you can log in using your email address) insisting your password must be at least something like 20 characters long and contain a mixture of both lower & uppercase characters plus at least one number but if you forget it they simply send a new one to your email account (where the password might be the name of your pet rabbit) and there's loads of emails identifying the sites you deal with and can get new passwords from.