eBay is recommending that all users change their passwords after they revealed hackers had stolen up to 145 million user records (including "encrypted" passwords). eBay says that PayPal data and payment information are not believed to have been leaked in this incident.

In reading their blog post on the matter, it seemed odd that they stated the passwords were "encrypted". Most best practices for password storage in modern web systems advocate one-way hashes using complex algorithms to make it difficult to decipher the password. There should never be a need to read or "recover" the plaintext password in these systems, only to perform a password reset, so two-way encryption is undesirable. Hopefully this is just a case of Purple Monkey Dishwasher syndrome and that eBay actually had properly hashed the passwords.

Password Tips:

• Use a different password for each website
• Choose long passwords
• Better yet, use a password management tool that can generate long passwords that you never have to see:
  • Lastpass
  • 1password
  • KeePass

It should be noted that the eBay website has been catching some flak for not only making the "Change Password" option difficult to find, but also for not properly accepting pasted input from password management software. Additionally, it sounds like their strong/weak algorithm for gauging password quality has some flaws that would potentially mislead users into setting weak passwords by mistake.

eBay clearly must make some improvements to their user experience when it comes to security. I'm sure this incident and the resulting feedback will accelerate that process.

Related Links:

• ArsTechnica: After the breach: eBay’s flawed password reset leaves much to be desired
• ArsTechnica: eBay buries its own advisory to change passwords following database hack
• eBay inc Blog: EBAY INC. TO ASK EBAY USERS TO CHANGE PASSWORDS