[Obi-Wan is lost...]

So with the recent security issues at eBay (see IT news thread) its got to a point when if eBay can suffer a huge security leak,  then anyone is vulnerable. So what to do about it? Well, in the first instance obviously change all your passwords, ideally not to one the same. You could use services like LastPass which I've heard are good, alternatively urn on two-factor authentication which is available on quite a few sites for free and not well advertised.

I've done this on Microsoft, Google, Facebook, PayPal and eBay.
Instructions for the first three are easily found online and pretty straight forward.

It's not particularly clear on how to do it for eBay, it sounds like you have to buy a £20 security key but there is a way of making it work for free. Start by turning it on in Paypal under 'My account' >Profile>My Account Settings. Click on 'security key' and set a phone one up for PayPal. 

For eBay the standard SMS one isn't available so to avoid paying £20 for the fob, install the Symamtec VIP app on your phone...
https://play.google.com/store/apps/details?id=com.verisign.mvip.main&rdid=com.verisign.mvip.main
https://itunes.apple.com/gb/app/vip-access-for-iphone/id307658513?mt=8

back in Paypal once you've set up a security key click on on 'activate for eBay' and it takes you to a page showing a oval grey fob thing. On this page enter the code generated by the VIP phone app (long code and two of the shorter codes, wait for it to generate two). Then it works.

On the eBay phone app to log in you simply add one of the six digit VIP codes to the end of your password.

[slackline]

In addition to two-step verification password managers can ease the ballache, to which end.....Article on the pros and cons of different password managers

My current choice is KeePass.


Another avenue for authentication is something like Yubikey.  Some of their products work with the aforementioned LastPass and Symantex VIP.

[Obi-Wan is lost...]

I like the look of the Yubikey, using SMS for everything does rely on having your phone handy and is a pain if you lose or forget it. Password managers help with saving longer secure passwords however as I understand using them alone wouldn't prevent risk from security breaches such as the eBay one. Using 2-factor does. Some like the Google one are quite clever as you turn it on but on each of your personal devices you can tell it it not to ask for codes for certain browsers, so it doesn't become too much of a pain. Surprised Amazon doesn't offer it yet.

[Obi-Wan is lost...]

Anyone still procrastinating about changing their passwords or increasing security?

http://www.theregister.co.uk/2014/08/05/russians_amass_1_2bn_stolen_passwords/

[tomtom]

I read an interesting arcticle about different levels of password the other day - how it was healthy to have a low grade password for all the non special sites (ie those without any crucial info or credit card stuff etc.. - like UKB) and reserve your more complex password(s) for the sites that needed to be secure (banking etc..)..

Along the lines of using the more complex one for everything made you effectively more vulnerable - as if they cracked that one they had everything etc...

[Bubba]

Lastpass & Yubikey 2 factor authentication. Only allow MAC addresses of specific mobile devices to bypass the Yubikey.

Why use anything less?

[slackline]

Might be worth taking the Russia payouts thing with a "pinch of salt" since little details of exactly what's been found have been released...


http://gu.com/p/4vgzv

I read an interesting arcticle about different levels of password the other day - how it was healthy to have a low grade password for all the non special sites (ie those without any crucial info or credit card stuff etc.. - like UKB) and reserve your more complex password(s) for the sites that needed to be secure (banking etc..)..

Along the lines of using the more complex one for everything made you effectively more vulnerable - as if they cracked that one they had everything etc...

That's just common sense.

Personally I've done it for years, although it's slightly annoying that some of the more important sites place limits on the number of characters...

[Obi-Wan is lost...]

Top tip: If anyone has activated the security key for eBay, make sure your phone number is up to date on your eBay account. It's not obvious, it's hidden away in your account settings at the bottom of your primary address, on the addresses page. If it's out of date and you go and wipe your security key off you phone, it's a proper ball ache to then get access to your account.