questionsdid you see that ebay was hacked ?


I have to believe that when you typed "pay-pay" you meant paypal. Paypal's password system and database are separate from eBay's. No need to change passwords.

I have an extra bit on my account, and I'm currently not worried about the password. Quite some time ago, eBay/Paypal were offering a keyfob (of the RSA type), and I think that the person who may or may not be able to get the password is still not going to have the right numbers. I think it changes every 5 seconds or so.

Interesting times, though.


@shrdlu: "I have to believe that when you typed "pay-pay" you meant paypal. "
ROFL. It's been one of those days.

I am not a tech savvy person by any stretch of the word. What is RSA ? A keyfob ? Does everyone get one or is that for folks like you who know what they are doing ? : )


@ceagee: Links, just for you (or anyone else that needs them):

(Please, read this guy with a grain of salt.)

You now officially have far more information than you wanted.

Everyone who gives them $5 gets one.


Great. I have roughly 100 auctions closing today. I have a huge fall art show roster in front of me (Austin and San Diego in July, London in August and a big local show in September) and I have got to restock on jewelry parts as I am running low on stock. I guess is Paypal is safe then I am not too worried, as that protects both my financial information and my mailing address. I just got done changing the passwords on all my credit cards due to this HTTPS incursion, and I have two cards I have been unable to pay because I can't decipher the password hint I wrote down for the new passwords. I am going to have to go through all the "change password without being logged in" rigamarole today. Now EBay. BTW, EBay apparently did post something yesterday, although I didn't see it and I've been practically living there this week.


@moondrake: If you chose a good password for eBay (and I'm sure you did), it's not going to be immediately compromised, and in fact, may never be. The attacks against the passwords for eBay will be of the brute-force, dictionary-style attacks. They'll be hitting low hanging fruit, first. Who knows? Maybe Deals will see some of the worst eBay spammers disappear.

Don't break your brains over this one. It's stupid, but it's going to continue to be a problem, not just with eBay, but in general. I just got a password reset notice from Sourceforge this morning, and it appears to be proactive, rather than a compromise.

{To make sure we're following current best practices for security, we've made some changes to how we're storing passwords.} Sure, that makes me feel so much better, Sourceforge. Ah, well. Could be worse.


As much as I hate to think about the nuisance factor, I'm beginning to think passwords should be changed every 4-6 weeks as a matter of habit.


@magic cave: The problem is that, unless they have some sort of program or pattern to follow, most people would never be able to remember them. And if you have a program or a pattern then that can be hacked.


@shrdlu: It says it costs $29.95 , $5 is to replace it if it's lost. My CC's are protected by the issuer. I don't have my bank acct. on my paypal, so unless I do that, I don't see any reason to get the keycard.
Thanks for all the reading though. My eyes are glazed over now : )


@moondrake: True, but a brute-force attack will eventually find any password. My only reason for changing passwords monthly is that the usual lag-time between breach and discovery is at least a couple of months. (The Heartland Payment Services breach took over seven months to be noticed.) If I change my passwords monthly, it shortens the at-risk time for that particular account.

I'm inclined to think that buyers of stolen card info are much like any other thief: if a would be burglar tried all your doors and windows and finds them all locked and relative secure, he's much more likely to go next-door where the pickings may be easier.


@moondrake: you could use patterns. Example

The base password mon1910drak!e stays the same for every website the underscores are the first and last letter of the site. The number is the year plus 5 so 2014 becomes 14 becomes 19 and the 1 0 is 5 (may) plus 5.
This way you have a pattern to memorize. difficult for PCs and non authorized users but for someone that authorized user that types it in a few times a day it will become easy.
I could use
mon19n1g0drak!e for newegg and
mon19e1y0drak!e for ebay
The problem is if you let a password go stale (you do not change it every month)
Next month it will be mon19e1y1drak!e for ebay


@magic cave: I take gentle issue with your statement about brute force attacks. If a password is part of a system where it is properly salted (this is not meant as an amusement, "salt" is part of a description in the encryption process), and if the password is decent, a brute force attack is unlikely to work against it. Certainly with sufficient time anything is solvable, but at current levels of computer systems and technologies, that involves lengths of time that approach heat death of the universe.

Ugh. It's WAY too early for me. I deleted a bunch of links about encryption; anyone who wanted to read them already knows that stuff, and the weekend approaches.


@shrdlu: Point taken, and as always, many thanks.


@shrdlu: Question.... Why don't passwords work like this:

The password is passed to the first server. this server takes the entered password and passes through an algorithm based on the user name. Then the algorithm password is then hashed out and stored. Now if a hacker grabbed the algorithm password and cracked it and tried to enter it on the site it would come up as wrong.
In this question password is password1.
I type my password1 that the algorithm based on the user name and changed to ppaasssswwoorrdd11 this gets hashed to 781e6908cf1f55f96c7ec76bb97b327d. The hash is time stamped so the computer knows this specific algorithm doubles the letters of the password (obviously it would be a more difficult algorithm)
Now a hacker grabs the hash list with passwords that have passed though the algorithm and solves my password as ppaasssswwoorrdd11 and tries to use this to log in it will fail as the password is password1.


@caffeine_dude: Rather than answer your question directly, I'm going to talk about passwords, and various methods, instead. Please, folks, unless you're interested, this is going to be long, and dry, and BORING.

First, some links (caffeine_dude, you don't have to read all of them, but the first is the best):

Why did I include the second and third links? Because both of them do a sort of password mutation/password swap in something of the way you are thinking. It's still more complicated than this, but I think those articles help a bit on the crypt side of client-server interactions (and that's really the background of your question, I think).

More fun random things:



[Part two]
@caffeine_dude: Let's take a step back, now that you're numb.

The thing is (as you know from the last Wikipedia link), the idea of a password encompasses a wide range of things, from the password that lets you pass the sentry without being shot, to the silly four digit pin on your debit card, from the login to your Facebook account to the login to your bank account, those are all passwords. They all operate differently, though.

The pin from your debit card is usually transmitted over the wire (when you use it as a debit card), and the bank sends an AUTH back. Poof! Your account is debited. When you log into your bank's web site, the password system could be running on anything from (shudder) Windows NT Server to a specialized Linux distribution, or even (although I haven't seen it in years) on "Interactive Unix...



[Part three: Yeah, I don't type fast enough.]
@caffeine_dude: For every computer password system, I can name one or more systems developed just to attack those passwords. As usual, Wikipedia has a nice write up on this:

I used to use Crack (an oldie, but goodie), and maintained 16 different language dictionaries to go with it, including Inuit (which caught more than one person who thought they were clever).

I know, I'm starting to ramble, and I'm going to quit for now.

There are so many different types of passwords and password systems out there. The simple rules of thumb apply. Don't reuse passwords on systems where your money is involved, or your reputation. WRITE THEM DOWN somewhere. Yeah, yeah, I know. Just do it.


You're not safe, yet, Caffeine my boy. I almost forgot to add:

I recommend Bruce as one of the last honest men. His blog is worthy. I've been reading his newsletter since, well, since he started writing them.

I commend this search on his site as being enormously interesting.

(It's his occasional "award" to people who make bad crypto.)

I don't necessarily recommend all his books. He can be a bit repetitive. I absolutely recommend wholeheartedly his book Applied Cryptography, or, in fact, any of his books on cryptography.

I'd vouch for Bruce, and there's damned few people I'd say that of.