eBay and Apple hacks: why users should change their password right now

May 21, 2014

This week it emerged that online marketplace eBay suffered a security breach, and that there was as a possible security breach with Apple’s iCloud.   While eBay maintains that customers’ financial

Security Evangelist

This week it emerged that online marketplace eBay suffered a security breach, and that there was as a possible security breach with Apple’s iCloud.   While eBay maintains that customers’ financial details were not exposed during the hack, it has advised that all users should change their account password as a security precaution.   Apple has not admitted publicly to its breach but some say the company is working internally to correct the issue.

If you are an eBay or Apple iCloud user we strongly recommend changing your new password. It’s very easy to read this post and do nothing.  You even may be thinking, “I am sure it was not my data,” but it in fact might be your data and changing your password will only take a few moments of your day.

This follows other data breaches at major companies such as Target in the U.S. just a few months ago. This highlights the need to think carefully about which and where you enter your email and passwords and maybe even when you create accounts. I often purchase things online and in some instances use the option NOT to create an account but to use the ‘guest’ approach.  That way my data is not stored for account purposes. I also use different email addresses for casual shopping and for sites I visit regularly in order to avoid spam in my normal email; thus also limiting  the risk of my information being obtained in the event of a similar breach. I also recommend retaining an email address just for reset purposes (many companies offer the ability to reset a login using another email address or through SMS/Text to your phone). If offered, utilize this feature in the event your primary email account gets hacked because it can be devastating and hard to get it back.

Here are a few simple steps you can take to make sure that your new password is as strong as possible and help keep all of your online accounts safe:


Use a passphrase

It is well established that length is one of the most important factors when determining the strength of a password. General consensus is that your password should be at least 12 characters long.

That’s a lot of characters and I recommend using a passphrase instead of a password or string of characters.

Here is an example “A3H2FAcup!eb” is 12 characters long and contains a both upper and lower case letters, a number and symbol, the meaning of the phrase is something that makes it memorable “Arsenal 3 Hull 2 FA cup! eBay”.


Check the strength of your password

There are several tools that can help you check the strength of your password. I like How Secure is My Password which even tells you exactly how long it would take for your password to be cracked by an ordinary PC, the one above is 344 thousand years.

This is a great way of making sure that any new password is strong enough before you use it.


Don’t use personal information in your password

It goes without saying that you shouldn’t include any personal information in your password. Avoid any information that could be part of your security questions such as your mother’s maiden name, date of birth or pet name.

This should limit the damage should your password fall into the wrong hands.


Different password for each site

Another great way of limiting the damage should your password get compromised in a large scale breach is to use a different passphrase for each site.

I’m not talking about a completely different password but instead you can add a few characters that makes it unique to that site.


Two factor authentication

It’s not all about passwords though. Several popular websites have now enabled two-factor authentication. This simply means they require a special code generated by a device or an app which confirms you as the owner of the account. They have been around for a while in the online banking world but they are now available for services like Gmail and Dropbox.


You can follow me on Twitter @TonyatAVG and find my Google+ profile here.



Tony Anscombe
May 21, 2014