Site can make it hard to use long passwords, especially from manager software.

eBay has finally stopped burying its own advisory to change passwords following a major hack on its corporate network by adding an important password update to the top of its home page. Now, engineers should turn their attention to flaws on the site's password reset page that may prevent users from choosing passcodes that are truly hard to crack.

When strong is weak

Chief among the imperfections is eBay's*meter that labels chosen passwords as "weak," "medium," or "strong" depending on their resistance to common cracking techniques. It showed "Stlk/v/FqSx"lireFTzidyS/m" (minus the beginning and ending quotation marks) as being weak, even though the password*has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn't included any obvious dictionary or word list. (Thanks to Digininja for the example.) That means the only likely way to crack it is to employ a brute force technique in which an attacker tries every possible combination. The involved "keyspace"—that is, the number of possible combinations of a 25-character string with upper- and lower-case letters with special characters—is 8525, which is calculated by adding the number of possible letters (52) and the number of possible symbols (33) and raising the sum to the power of the password length (25).
It would take huge amounts of time and computation power to crack the password, and yet for some unexplained reason, eBay is telling users it's weak. The site's password meter similarly grades as weak the inversion, "m/SydizTFeril"xSqF/v/kltS", as well as smaller subsets. It also gave a "weak" mark to the password choices of "bEDl(<y|" and "><9ibTGo" even though it would take weeks or months to crack either of them. Meanwhile, the meter rated "$superman1963"—an example of a "good password" provided in advice to eBay customers—as medium strength.

As Ars has chronicled before, password strength meters are extremely fickle and capricious contraptions that are often driven more by theory than real-world password cracking that's carried out every day. The How Strong is my Password service offered by chipmaker Intel, for instance, couldn't be relied on because it estimated that it would take six years to crack the passcode "BandGeek2014" and three months to crack "windermere2313", even though it takes real-world crackers using commodity hardware less than an hour to decipher them. Intel's failure was that it assumed crackers only use brute force methods, when in fact they use a combination of brute force and lists of hundreds of millions or even billions of words, along with programming tweaks that extend the reach of those lists.

Another problem with eBay's password reset rollout is guidance explaining how to pick good passwords. As indicated above, "$uperman1963" is a horrible choice for a password, and it's a mistake to suggest otherwise. Even more unfortunate is eBay's suggestion that users should choose passwords such as "bestjetpilot". In fairness, the site won't accept the string as a valid password, and it wouldn't accept a wide array of other passwords made up of multiple words that were strung together including "makemebreakfast" "gotoschool" or even "catobstreperous". Given the common and highly effective cracking technique of combining a string of words found online or in books, eBay should be commended for designing a password system that rejects these choices. It should similarly be applauded for rating "mak3m3breakfast" and "cat0bstreporous" as weak. Still, it's a mistake for eBay guidance to recommend passwords such as "bestjetpilot". It's almost as if the guidance and the password systems were designed by teams that never consulted each other.
The last big flaw in eBay's password reset system is its refusal to allow users to paste strings into the password field. For almost two years, Ars has counseled readers to use a password manager that chooses a long, randomly generated passcode that's unique to each site or service. Alas, the eBay page doesn't allow the pasting of passwords. It's possible the move is designed to prevent crooks from using automated scripts to create eBay accounts designed to scam legitimate users. But given how widely used and essential password managers have become, there's no telling how many people are choosing weaker passwords because they must manually enter them.