eBay Japan Passwords Revealed As Username+123456 80
mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.
Why was the initial password still being used? (Score:5, Insightful)
If the password was set by the system, either during a password reset or initial account creation, the first thing I do is change the password to a random one my password manager program's generated. Why were these accounts still using the system-created password? Also, the article seems to conflate two uses of the term "salt": the random nonce used to insure the stored hash value isn't the same for two different accounts that picked the same password, and the random string used in the plaintext of the initial password to avoid a trivially-guessable "password same as username"-type case. The two aren't at all the same.
Re:Obligatory (Score:2, Insightful)
Introducing easter eggs is enough to get fired, if your employer takes quality seriously.
Introducing an idea to add proper entropy calculation of all passwords can help you get a raise. Of course, if you implement it by "if char.isUpper(): entropy += 5" then you should also be fired...
Same for all Four Users? (Score:4, Insightful)
I've lived in Japan for over 20 years and I, like probably most people in Japan, didn't know it even existed.