It was just recently announced that eBay suffered a breach that led to the compromise of user details including:
- encrypted password
- email address
- physical address
- date of birth
- phone number
Their announcement indicates that there was no other data (financial or otherwise) that was compromised. Financial data is believed to be stored separately. The good news is that they appear to have separation and it was only credentials retrieved. The bad news is that it is another victim to the loss of credentials.
EBay mentions that the passwords were encrypted, but they do not indicate how they are encrypted. We have seen a lot of different definitions for encryption and even between valid ones, some techniques are better than others. Were they hashed, or encrypted? If hashed, were they salted? Were there iterations? We don’t get these types of details when a breach like this happens, but the answers to those questions can give an indication of how the passwords may stand up to attacks of brute forcing them. We can only hope that they were using “Good” techniques for storing passwords.
It is recommended that you change your eBay password and the password for any other site you may use that same password on. Even with the best password protection out there, once there is a compromise, let’s just assume it is cracked. This may be a good time to go through and update some of your other passwords too.
Here is a great article on creating stronger passwords: http://www.itbusinessedge.com/slideshows/eight-ways-to-create-stronger-passwords-and-protect-your-accounts.html
In other news, Source Forge has announced that users will have to change their passwords upon next login. They have stated that they have changed how they store passwords to increase the security of them. It is great to see a company that is actively looking at their controls and updating them. Of course, they don’t provide any details on how they will be storing and protecting the passwords, so we can only assume that they are doing “Good” protection.
There is a lot of buzz around password security, and there has been for a while. I don’t see that changing any time soon. Help raise awareness to others about how to manage passwords securely.
James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, @jardinesoftware or visit the Secure Ideas – Professionally Evil site for services provided.