[mootothemax]

>I'd be curious to know if anyone here can come up with a good enough reason for sending out the user's email & their password(-prefix) at every keystroke?

I wonder if it ties into their fraud detection systems somehow.

Fraudsters are lazy - so lazy that, for a good long time, you'd see the exact same few recycled photos of counterfeit items being used in item descriptions. No idea if that's changed recently.

Anyway, going back to my main point: I wonder if something about password entry and email address choice serves as an early warning flag.

I'd kinda be surprised, but I could imagine it potentially being useful.

[laumars]

That might be it. They might use it to detect if someone is pasting a password in vs typing one in. Which might help identify against bots / attackers stealing someone's ebay account.

Which would explain why Ebay would be secretive. Because the detection is easily mitigated if attackers become aware of the detection.

[gnur]

I guess that fraud could be a big part of this, getting every character in sequence says way more about the end user then getting only the password in the end. I wonder how this will affect password manager users though.

[MaDeuce]

Same thought here. I was imagining that some sort of timing analysis / fingerprinting could possibly be going on.

But to what end? A valid password is a valid password whether it comes from user that takes 2 minutes to type it in, a password manager, or a bot.