7 Facts: eBay Fumbles Password Reset Warning

Online auction site criticized for notification misfire, failing to make password resets mandatory.

expire all users' passwords so they had to be reset. "eBay should programmatically force a reset of all passwords because just asking nicely will be ignored by too many," says TK Keanini, CTO of Lancope, in an emailed statement. "They also should offer a two-factor authentication method as others have done. All of these things help raise the cost to attackers."

The need to force password resets is reinforced by the results of a new survey conducted by antivirus firm Avast. "Only 40% of the respondents who were aware of Heartbleed said they had actually changed their passwords," according to an Avast blog post about the survey, which was released this week. "This number closely matches Pew's Heartbleed report which found that 39% of Internet users have changed their passwords or canceled accounts."

If the Heartbleed password-change rate holds true for eBay's user base, that would mean, of the 145 million people whose encrypted password data was reportedly stolen, 87 million would still be vulnerable to having their accounts compromised if attackers successfully decrypt the stolen passwords.

6. Expect new two-factor authentication options
People who want better eBay site security can tap two-factor authentication, in the form of a PayPal Security Key (as the name implies, it also works for PayPal), which is a credit-card-sized device that generates random, temporary security codes that are used as a second factor together with a password, for authentication.

But the card will cost you a one-time fee of $30. "There's no monthly service fee or additional cost," according to eBay. "Replacement keys are the same price."

Alternately, the PayPal Security Key can be used as a free service via a mobile phone, with the one-time codes being sent via SMS, for example, as sites such as Dropbox and Twitter also do.

Going forward, it's likely that eBay might add mobile apps to its list of two-factor authentication options. In its security advisory, for example, eBay previewed unspecified, new possibilities, saying that "we are looking at other ways to strengthen security on eBay" and noting that "in the coming days and weeks we may be introducing new security features."

7. Breach lesson: Employ password managers, or else
Tapping two-factor authentication, where available -- and when it works well -- is an excellent security step. But the approach still relies on the strength of your password, and no password is ever completely safe.

Accordingly, people should never reuse their passwords. That way, a breach at a site such as eBay (which, although it enjoys an excellent security reputation, was still hacked) won't allow attackers to reuse stolen passwords on other sites. "Each account, especially accounts containing personal information and credit card details, should have its own password," says Ondrej Vlcek, COO at Avast, in an email. "In a situation like this you really don't want your PayPal and eBay accounts to have the same passwords."

Practically speaking, the only way to securely track a large amount of online account details and related access credentials is to use a password manager. While some people worry that storing all of the sensitive information in one location will create a single point of failure, numerous information security experts argue that because password managers can themselves be secured with a complex password, the benefits of being able to maintain unique, strong passwords for every online account you use far outweigh any potential security downsides.

With the rise of mobile devices and synchronization capabilities, furthermore, people can keep secure copies of their passwords on their smartphones, tablets, PCs, or even  on secure websites, for easy retrieval no matter where they are.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading