Ebay announced today that the had usernames, encrypted passwords, phone numbers, email address, physical address and date of birth stolen during a recent breach. The key here is encrypted passwords, which hopefully means strong security. That is just an assumption though. It is not uncommon by any stretch to see a large company suffering from a breach that includes user credentials. We often overlook the idea that credentials are actually very valuable. We spend so much time focusing on social security numbers, credit card numbers, and HIPAA data that we forget about the basics. Those keys that protect the rest of all of that data.
Ebay believes that no other data (financial, etc) was accessed during the breach. This is the good news. The bad news is we now need to change our passwords again. Look on the bright side, if we used fingerprints as our access we would only change our password a few thousand times before we had to start using toes. There are a lot of different passwords we can come up with. I know it is obvious, but if you haven’t stopped reading this post to go change your Ebay password, stop for a moment and go do that.
Managing our passwords can be difficult and we may often feel helpless as the end user because not only do we not have any control of how a company or service stores our passwords, we don’t have any insight into how they do it. Previously people have mentioned advertising on the site how the password is protected. It is an interesting idea. The question is: does it make you more or less of a target? There are a lot of factors that go into that determination.
If you advertise that you use bcrypt with 10,000 iterations, is good or bad? Will the bad guys just turn around looking for that easier score or will they accept that challenge. Now advertise that you are just storing passwords using MD5 with no salt. The difference between the two is like seeing a wireless network with and without a password. Of course, the problem we also have is whether or not the description provided would mean anything to the average user. My mom, even my wife, wouldn’t have any idea what MD5 or bcrypt meant or which one may be more secure. It is server side, so do users care? I am not really sure. I don’t think advertising the details would really help the problem, maybe just satisfy those techies that want to debate over whether the company was following best practices.
Spread the word when you see that a site has been breached. Let your friends and co-workers know so they too can take the appropriate steps to protect them selves. We can’t fix a companies vulnerabilities, but we can all respond accordingly to calm the wave of destruction.