Comments on eBay password policies
Thurs 22nd May 2014
Update
After a few comments on twitter I thought I'd better add that I'm on the .co.uk site and got to the password reset through "My eBay" then the Account menu->Personal Information and in there there is a section which shows account type, user id, secret question and gives and option to reset the password. Other people have said that they reset their passwords without being sent a link and that they didn't have pasting blocked. I think this maybe shows a more worrying aspect of the eBay password policy, that they haven't actually got one. Each team seems to have developed their own rules. This results in some users being allowed better security than others depending on how they use the site, that can't be good.
By now everyone has heard of the eBay hack and I'd guess most people are trying to change their passwords. I just went in to change mine and was initially impressed that to make the change they wanted to send me a one time link to initiate the change. After that it went down hill fast.
Like most people in security I use a password manager, for sites like this mine is set to generate 30 character passwords with characters from the major character sets. I asked it to create me a new password and went to paste it in. First problem, I couldn't paste. If you don't know why this is a problem, see the excellent video on the topic by Girl Cynic which is based on the post The "Cobra Effect" that is disabling paste on password fields by Troy Hunt.
You can see the deliberate attempt to block this in the following HTML:
The onpaste="return false" prevents a password being pasted in and the ondrop="return false" prevents it being dragged in which is an alternative I'd not thought of trying till now.
So, using Firebug I removed the offending entries (you have to do it on the confirm box as well) and pasted in a randomly generated 30 char password - StlkvFqSx"lireFTzidySmTNdMW&x . This is what the JavaScript strength meter thought of it:
Coming from a site whose policy is:
Your password must be at least 6 characters with a combination of at least 2 of the following: uppercase letters, lowercase letters, numbers or symbols.
that seemed a bit harsh.
I decided to submit it anyway but it turns out it wasn't only the meter that didn't like it, the site rejected it as well. After a WTF moment I went to try again and spotted something I'd missed before, check this again and look at the maxlength field:
Yes, they cap passwords at 20 chars. It doesn't mention that in the limitations and on their own "Creating and protecting your password" page they state:
The longer and more complex your password, the harder it will be to guess. Place numbers and punctuation randomly in your password.
I trimmed back my password to 20 chars and resubmitted it, this time it was happily accepted. I'd like to know why they are capping the length, is it because they are encrypting rather than hashing, unless the data taken in the hack goes public we'll probably never know.
So, do eBay care about users passwords and their general security? From the initial one shot password link I think they probably do and the fact that someone has made a conscious decision to add the code to prevent pasting passwords means they have thought about it (come to wrong conclusions but thought at least) but they have failed to implement something that is secure which is a shame when there is so much good information around about how it should be done properly.
The common reason given by companies is that customers forget long passwords and so it increases support costs having to reset passwords more often. For sites like this it means they put profits above the security of their users. I don't know what the reason is in the case of eBay, if anyone has any insight, please, let me know.
eBay, please talk to the security community, we are willing to help and want you to get it right, you just need to ask.
