Forgot your password?
typodupeerror
Security

eBay Compromised 193

Posted by Unknown Lamer
from the ebay-passwords-show-up-in-ebay-auction dept.
New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."
This discussion has been archived. No new comments can be posted.

eBay Compromised

Comments Filter:
  • by Anonymous Coward on Wednesday May 21, 2014 @09:42AM (#47056139)

    Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.

    After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.

  • by tepples (727027) <<tepples> <at> <gmail.com>> on Wednesday May 21, 2014 @10:05AM (#47056325) Homepage Journal
    It's OK to write down your password [schneier.com]. Just keep the card in your wallet instead of on your monitor. You probably already keep a piece of plastic with your credit card number on it in the same wallet anyway.
  • by raymorris (2726007) on Wednesday May 21, 2014 @12:10PM (#47057675)

    Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.

    Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.

    As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.

    So how many seconds will it take to try all of the passwords?
    1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
    On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
    125,000,000,000 / 3600 = 34,722,222 hours
    34,722,222 / 24 = 1,446,759
    3963 years

    I'm happy with 3,963 years per password.

    That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.

    It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.

You had mail, but the super-user read it, and deleted it!

Working...