Quote:
Originally Posted by Astro_Bot
I'm disappointed that there's no e-mail from eBay alerting users to this problem. They're certainly happy enough to send marketing e-mails.
|
Emailing people is counterproductive. Especially so if they include a link to the password change page. It takes more intelligence than the average user to tell the difference between a real email and a phish.
Better to expire passwords and make people change them at next logon with a two factor process.
And store passwords as hashes rather than encrypted which is what e-bay did. It means they can't tell you what your password is if you forget it, but is far more secure.