eBay Compromised 193
New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this."
From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."
Re:Wow, pasword security policy fail (Score:3, Interesting)
Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.
After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.
Password on cardboard in your wallet (Score:4, Interesting)
3,963 years per password (Score:4, Interesting)
Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.
Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.
As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.
So how many seconds will it take to try all of the passwords?
1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
125,000,000,000 / 3600 = 34,722,222 hours
34,722,222 / 24 = 1,446,759
3963 years
I'm happy with 3,963 years per password.
That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.
It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.