[parandroid]

This actually just sounds like a really bad implementation. Some front-end dev wasn't sure what's a good timeout to fire the password to the server on, so he or she just put it on keypress.

And then he included the email too, so the backend could look up the user and make a custom password blacklist for this specific case (eg: no personal details allowed).

I actually don't disagree with doing a POST of a password to check password strength server-side. It might be "cheaper" a bit in some cases.

But sending on every keypress and including the email - that's just silly.

[reitoei]

> Some front-end dev wasn't sure what's a good timeout to fire the password to the server on, so he or she just put it on keypress.

Ebay is not a two bit software startup, it's an eCommerce powerhouse with extensive QA processes.

[parandroid]

I am well aware of that, and agree with you. There had to be some seriously bad decisions made here, and it certainly doesn't look like someone from a big company would make such mistake.

Yet, those kind of bad decisions are made every day, by people all around the world. I wouldn't give benefit of the doubt to anyone these days.

[gedrap]

Yeah, but being a powerhouse doesn't mean they don't introduce silly bugs. They do. E.g. on Facebook, a year or two ago, you could use dev tools and change hidden input field's value when writing a post and post to anyone's timeline (this story got tons of coverage for a bunch of reasons, vulnerability itself not being the prime one). Does it seem like a silly bug? Definitely. But it happened, it's not the first one, not the last one.

So it's a bit naive to assume devs at popular companies don't make bugs, they are superhumans, etc :)

[strictnein]

I worked at a Fortune 100 that does billions in online sales. You'd be surprised at how often little, improper things like this can just percolate into production. And then they're defended by the people who allowed it to happen.

[anentropic]

that doesn't mean they don't have bad implementations

[Torn]

I've seen some pretty janky pages on eBay.com, and the windows 'Turbolister' software is one of the worst things I've had the displeasure of using.

eBay is sufficiently large, and old-enough, to have substantial tech debt.

[kstrauser]

QA just assures that the deliverable meets the spec. It's perfectly possible to write an excellent implementation of a terrible idea.

[brokenmachine]

or a terrible implementation of a good idea.

Manager: "We need password strength validation." Tech: writes code to send each character of password to server as cleartext Tech: "Done"