After the breach: eBay’s flawed password reset leaves much to be desired
eBay has finally stopped burying its own advisory to change passwords following a major hack on its corporate network by adding an important password update to the top of its home page. Now, engineers should turn their attention to flaws on the site’s password reset page that may prevent users from choosing passcodes that are truly hard to crack.
Chief among the imperfections is eBay’s meter that labels chosen passwords as “weak,” “medium,” or “strong” depending on their resistance to common cracking techniques. It showed “Stlk/v/FqSx”lireFTzidyS/m” (minus the beginning and ending quotation marks) as being weak, even though the password has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn’t included any obvious dictionary or word list. (Thanks to@digininja for the example.) That means the only likely way to crack it is to employ a brute force technique in which an attacker tries every possible combination. The involved “keyspace”—that is, the number of possible combinations of a 25-character string with upper- and lower-case letters with special characters—is 8525, which is calculated by adding the number of possible letters (52) and the number of possible symbols (33) and raising the sum to the power of the password length (25).
It would take huge amounts of time and computation power to crack the password, and yet for some unexplained reason, eBay is telling users it’s weak. The site’s password meter similarly grades as weak the inversion, “m/SydizTFeril”xSqF/v/kltS”, as well as smaller subsets. It also gave a “weak” mark to the password choices of “bEDl(<y|” and “><9ibTGo” even though it would take weeks or months to crack either of them. Meanwhile, the meter rated “$superman1963″—an example of a “good password” provided in advice to eBay customers—as medium strength.
As Ars has chronicled before, password strength meters are extremely fickle and capricious contraptions that are often driven more by theory than real-world password cracking that’s carried out every day. The How Strong is my Password service offered by chipmaker Intel, for instance, couldn’t be relied on because it estimated that it would take six years to crack the passcode “BandGeek2014” and three months to crack “windermere2313”, even though it takes real-world crackers using commodity hardware less than an hour to decipher them. Intel’s failure was that it assumed crackers only use brute force methods, when in fact they use a combination of brute force and lists of hundreds of millions or even billions of words, along with programming tweaks that extend the reach of those lists.