2014-05-27 Ebay was attacked and thus forced its users to change their pass- word. My ebay password is weak, since years. I wanted to change it several times, but was pissed off by their password require- ments. Hence, I kept the old password. Now, I am forced to change the password, and the new one is forced to match their require- ments. I am pissed off! Ebay tells me, that a password with a length of 6 characters out of an alphabet of 73 characters (26+26+10+11) is ``strong''. And, ebay tells me, that my desired password with a length of 30 characters out of an alphabet of 26 characters is considered so weak that it is not permitted. Actually, the real strength (entropy) of the password, ebay con- siders ``strong'', is 73^6 = 1.5 * 10^8. Whereas the strength of the password, ebay considers weak, is 26^30 = 2.8 * 10^42. This is more than a billion times a billion times a billion times stronger! Okay, to be fair, my password is a passphrase, which consists of words. If it consists of 5 words, how strong is it if we attack not by combining characters but words? /usr/share/dict/cracklib-small on my system contains about 52000 words. If we attack with them, the strength would be 52000^5 = 3.8 * 10^26. Okay, let's cut the 52000 words down to a relevant set, the most common words. How many would we need? 10000? 5000? 2000? 500? Wait! We better do it the other way round: How long can the wordlist be to get the same strength as the 6 character password, that ebay considers ``strong''? The answer is: 172. Thus, if I would only combine five of the 172 most common words, my password would be equally strong as the one that ebay consid- ers ``strong''. There is a simple *and* flexible way to increase the strength by many magnitudes: Just use one exotic word, misspell one word, or use a word from a different language -- this expands the wordlist necessary to crack the password, and the password strength will explode! tl;dr: Ebay's password requirements are crap! http://marmaro.de/lue/ markus schnalke