Last week eBay detected an attack on their databases and issued an email to all users to reset their account passwords. That’s fine and excellent customer service. One thing that is a clear leftover from when eBay was founded (19 years ago) is the password requirements:
- 6 – 20 Characters
- at least 2 numbers, letters or select special characters
It’s significantly out of date.
I know I will probably start a polarizing discussion on this (if anyone even reads it that is), but these are my thoughts on passwords:
I like the 2nd requirement, it’s the first one that bothers me the most.
A strong 20 character password is very hard to make and remember. Almost all of my passwords are sentences of various length and characters, but almost all of them are over 20 characters. I take xkcd’s way to make a memorable password:
I know I’m grossly over simplifying the whole password cracking part, but generally, longer is better. Every extra character helps. So naturally a random sentence is easier to remember, and harder to crack then something forced to be 20 characters with a number and special character thrown in because of your arbitrary constraints. It took me more time then I care to admit trying to reset my password because of those settings, (made even harder by the fact that their reset password field doesn’t tell you things are the same).
Granted, all of this is moot if the passwords are stored poorly, but I’ll give eBay the benefit of the doubt and assume that their passwords are properly hashed and salted, (hopefully with some Sea Salt at the very least).