ebay, security, and the art of responsible journalism

Granted that eBay hasn’t covered itself with glory recently. Some of its password advice really is poor. For a start, bestjetpilot isn’t the strongest password I’ve ever seen.

Apparently, though several  journalists believe that the company should allow its customers to choose as a password one of the strings eBay itself gives as an example of a good password (yes, bestjetpilot). At any rate, they’ve used the fact that eBay won’t allow you to use that password as an example of eBay’s incompetence. If they actually believe that’s the case, they  really shouldn’t be allowed to write about security until they’ve undergone an intensive security familiarization course.

I’m sure (ISC)2 would be pleased to provide them with some sort of boot camp.

What about journalists who don’t believe that accepting that password would be a good idea but couldn’t resist a cheap shot?

They should be asking themselves whether it’s entirely ethical to give their readers the impression that it’s sensible to use a widely publicized password suggestion for authenticating themselves to the company that made the suggestion. Not all your readers are as security-savvy as you think you are, guys.

It would have been nice if the original advice had come with a warning to eBay’s customers to use the examples given as models for generating a password of their own, not as off-the-peg ‘safe’ passwords. It would have been even nicer if the journalists concerned had given the same advice, whether eBay did or didn’t.

David Harley
Small Blue-Green World