Summary: Ebay Got Hacked - This is the same story I feel like I've read 1,000 times. It boils down to "big web site was breached, they stole the password database, everyone needs to change their passwords". A few things: While there are issues with two-factor authentication in corporations for authenticating users to applications, if your business is a web site (Ebay, Google, LinkedIN) at some point you have to make two-factor authentication available and make it easy for people to use. People always shout about the passwords, but tend to gloss over the fact that someone exploited something to gain access in the first place. In this case, it sounds like, nothing official here, Ebay employees were socially engineered and lost their passwords. Training, user awareness, etc... all apply here So on the password soap box again, store your passwords securely. Its well documented. Make it easy for the user to change their passwords! Finallly, can we solve this problem of passwords already? I guess not. The Internet Is A Crappy Place - Yea, I said it. The problem is what do we do about it? I tell you what we should not do is create browsers and web browser technology that has lots of vulnerabilities. Darn, too late. All too often we cover vulnerabilities in web browsers, Flash, Java and the like. Securing this technology leads to user unhappiness, such as what if I were to reset a virtual system hosting a web browser each time you used it? Your bookmarks, cookies and saved passwords would all go away. There has to be a better way, but in the mean time, have a strong patch and vulnerability management system. Once a patch is released Nessus will be updated to include a check
