eBay’s database containing their user’s login details was hacked into earlier this year, with the details only just being released to the public today.
Apparently, the passwords are “encrypted”, which ought to make people feel slightly better (*Lol, I hope they aren’t actually encrypted), but eBay users are being advised to change their passwords anyway.
You see, the vast majority of internet users have the same password for everything which is a really bad idea! If a large company such as eBay can be hacked and your personal details leaked, imagine what smaller and less secure companies & sites do with your password!
If you use a different password for each of your online identities however, and if one of those identities becomes compromised, the rest of your online accounts remain largely unaffected. The problem however, is that with an increasing number of online identities, it can become impossible to remember all of your different passwords. This is why it’s always a good idea to use a password manager. Essentially all of your passwords are long randomly generated strings, and these are saved on your local computer in a single encrypted file, protected by a master password. It might seem odd to have one ‘master password’ that gives access to everything, but the probability of a hacker physically accessing your machine is 1,000,000’s of times less likely than them trying to access your eBay account remotely, for example.
Additionally, online password managers such as Apple’s iCloud use industry-leading AES-256 encryption, which is good enough even for the NSA’s Top Secret documents. And if you use a long master password, your data is pretty safe.
* You might wonder why earlier I said that encrypting a password on a database is a bad idea. Encryption inherently means a reversible function, and for password storage this is entirely unnecessary. A one-way crypto hashing function is far safer and the preferred method for storing passwords in most cases. I can only hope that eBay used a strong hashing algorithm such as Bcrypt or SHA (with stretching+salting, of course), and god forbid not MD5! And if they did actually encrypt the passwords, I hope the encryption keys were stored somewhere safe and not in the database itself!