Catherine Posted May 27, 2014 Report Posted May 27, 2014 I got one; bet most of you did, too -- since most of us have ebay accounts even if we rarely use them. Link first; text below. For those who don't know, the author ran an ISP for many years, so he knows his internet and internet security stuff. I did remove a couple of images from the article as Eric doesn't allow the image extensions. http://market-ticker.org/akcs-www?post=229037 About Those Password Reset Emails... Grrr..... To help ensure customers' trust and security on eBay, I am asking all eBay users to change their passwords. Here's why: Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords. What's important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted. Uh huh. Encrypted eh? Wrong word kemosabe. Or maybe it's the right word and if it is, eBay (and anyone else doing that) needs to be shot (corporately, of course, not physically.) Let me explain. A password has several ideals it tries to achieve: Only you know it. If someone else does, then obviously they can pretend to be you.It's hard to guess. "Hard" means within practical limits impossible. This means it needs lots of entropy, a fancy word for randomness. This means that two words together are bad, because words are anything but random. A single word is (much) worse. Words with numbers and symbols between them are much better, because numbers and symbols tend not to have patterns about them. All random characters is best, provided they're truly random. You can get close to "best" by using an acronym made up of characters, numbers and symbols that means something to you but nothing to a machine. For example, a sentence in which one letter (perhaps advancing one letter, rotating back through) of each word is used, separated with the reversed digits of a social security number or something of a similar type. This is extremely hard to guess unless I happen to know the source material from which you made the acronym. It's impossible for the party that asks for it to get it from what they store, but that you keyed the right thing can be verified and the odds of a "false positive" are effectively zero. In other words, the password is never stored, encrypted or not. Instead what is stored is a cryptographic hash that comes out to a value for a given input. Ideally that hash is the same length each and every time no matter how many characters are given it as an input, and it appears to be entirely random. It also has to be long enough (in terms of bits) so that the maximum password length (entropy) you can use can be contained in it without material risk of duplication; that is, if someone provides a wrong password it won't give a correct response. Note that if you design this right then it doesn't matter (much) if someone steals the list of hashed passwords. There is no way to get correct passwords from the hash. You could test a dictionary against all the hashes, and from there you might manage to get very weak passwords, but that's the best you can do. If the password is weak this isn't the primary concern. Now I don't know what eBay was storing. I do know how to do this correctly. If you steal a password hash it should, if done correctly, mean essentially nothing. To put my credibility where my mouth is here is a password hash to an account that I bet you can't break into on Tickerforum. I'm sure you can figure out which account it is too. If I'm wrong you "win" by logging into it using the password you figure out and posting a response to this message in the comment section. Feel free to be as nasty as you'd like in the comment; I won't censor it.... provided you really got it (and yes, I'll know with certainty if you did since the system keeps IP logs....) $2a$06$5dZMYXjIlDpR8Zv8yx.wqu0nbxqzPxO7H59PkHO/pOoJKbAANx54q You are free to deduce from all of these emails you get from time to time whether the people running those sites implemented their password systems correctly or not. If I'm willing to expose a password hash in a way that challenges you to sign in and prove that you can decode the password from it, believing you can't, well..... how about those guys and their claim that you can't recover passwords from their "encrypted" data and thus you should change your password "just to be safe"? Quote
Eric Posted May 28, 2014 Report Posted May 28, 2014 Encrypted eh? Wrong word kemosabe. "Cryptographic hash" is technically correct, but it's also nerd speak. "Encrypted" gets the point across, which is probably more important than technical accuracy when you're sending out that email to hundreds of thousands of users with different levels of technical knowledge. Now I don't know what eBay was storing. I do know how to do this correctly. Same here. I got that email from eBay, and I'm still curious about how they're storing passwords. Note that if you design this right then it doesn't matter (much) if someone steals the list of hashed passwords. There is no way to get correct passwords from the hash. That's a bigger *if* than you might think. It's not uncommon for an application to do a simple MD5 cryptographic hash on a password and store the hash. If that's the case, it's possible to break a pretty good number of passwords using rainbow tables. The *correct* way to do this is to "salt" the hash before storing it... and now I'm hungry. If eBay had been doing it right, there shouldn't be anything to worry about, but it's usually best to assume that everyone is incompetent and act accordingly. 4 Quote
Catherine Posted May 28, 2014 Author Report Posted May 28, 2014 <snip> If eBay had been doing it right, there shouldn't be anything to worry about, but it's usually best to assume that everyone is incompetent and act accordingly. I have found it good practice to make this assumption about durned near everything (present forum excepted!!). That way I get happily surprised. At least occasionally. 2 Quote
Don in Upstate NY Posted May 29, 2014 Report Posted May 29, 2014 it's usually best to assume that everyone is incompetent and act accordingly.One of the more popular desktop tax programs stores the "encrypted" login passwords in a file with the clever name of "password.yy" They must be using a very sophisticated encryption algorithm - a blank password is stored as all zeros. Now if one had a hex editor ... 2 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.