eBay Users: Change Your Passwords
eBay has been hacked.
eBay Inc. announced on Wednesday that it was the target of a cyberattack that compromised a database containing non-financial data, including encrypted passwords. Because of this, eBay requests that all users change their passwords immediately.
The company has conducted "extensive" tests on its networks, and found no evidence of unauthorized activity via user accounts. eBay also found no signs of unauthorized access to credit card or financial information, which is stored in encrypted formats on a separate system. However, eBay insists that everyone change their passwords just in case.
eBay reports that hackers gained access to the corporate network by compromising a small number of employee log-in credentials. The company is now working with security experts and law enforcement to "aggressively" investigate the cyber break-in, and to protect customers by applying "the best forensics tools and practices."
eBay reveals that the problem was first detected around two weeks ago. A thorough investigation showed that the database was compromised in late February to early March. Hackers gained access to eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. As previously stated, financial information is stored on a separate database.
"The company said it has seen no indication of increased fraudulent account activity on eBay," states the announcement. "The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."
eBay users should expect to see email notifications to change the password starting Wednesday afternoon. The company will also alert users via site communications and other methods. eBay recommends that all users change their passwords on other services and sites if they're the same one used on eBay.
I can rest assure though, my account is safe with Two-step authentication.
You can activate that for eBay here:
http://pages.ebay.com/securitycenter/OnlineSafetyTips.html#two-factor
And here, for Paypal:
https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
You could have a 64 character password, but if the server gets hacked, you're done.
A complex password only prevents people from 'guessing' it.
I use a password manager with local passcard files, so no online server store for them and it allows creation of 'randomly' generated number/letter/symbol combinations. I would say that two factor authentication is the only way to be sure that even if a password is known the account won't get hacked, as long as the second factor is reliable (a phone number or mobile number that can't be somehow intercepted in any way).
It doesn't matter how long or strong your password is, if the server gets hacked everything should be considered compromised.
I'm not sure how a password manager works, but I'd assume at the end of it, your password and details still need to be stored on a server somewhere.
After all, how can the server know you have the right password if it doesn't have it to begin with?
OSX / iCloud has a password manager that stores all my passwords and shares them across devices, but I can still log on to anything from any device.
You only need to remember the master password, and the plugin does the rest. If one of the websites is compromised, and your password for this site is leaked, nobody can use it to log in on another website. And you can generate a second, different, password for the same site with the same master password (using the "Bump" button).
Try "Password Hasher" for Firefox, "Password Hasher Plus" for Chrome and "Hash It!" for Android (they're all compatible as in they generate the same unique passwords for the same input).