Attacks/Breaches
1/18/2012
02:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Zappos Breach Renews Calls For Stronger Passwords

Passwords are the go-to security technique for retailers, but businesses must balance password strength and consumer ease of use.

Are Zappos' customers' passwords safe?

On Sunday, Zappos began notifying its customers about a network intrusion that led to the theft of customers' names, addresses, email addresses, and encrypted passwords.

Because the passwords were encrypted, it's unlikely that attackers would be able to immediately decode them all. Even so, Zappos expired all customers' passwords and advised those who had reused the same password on another site to change it there immediately.

Given that warning, what's the risk of Zappos customers having their passwords cracked after the data breach? The answer to that question depends on numerous factors, including the complexity of each password, as well as whether Zappos had both salted and hashed customers' stored passwords.

Based on the Zappos password-reset process, however, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said it's likely that many customers' passwords aren't safe. "When the Zappos team forced their users to reset their passwords ... they enabled their users to provide a minimum of eight-character passwords, including one upper- and lowercase letter and one number or one special character," he said in a blog post.

[What lessons can we learn from the Zappos hack? See Zappos Breach: 8 Lessons Learned.]

"So users' [password] could look like 'Zappos12', and here lies a bigger problem. With 'rainbow tables' that have been circulating as a part of both commercial products and open-source projects discussed at major security conferences for years, this weak password scheme could be quickly cracked offline," he said. Furthermore, as demonstrated by an analysis of the passwords chosen by SonyPictures.com users, many people favor simple--and thus more easily cracked--passwords, which they reuse across sites, no doubt because they must now employ passwords for so many different sites.

It's also not clear just how well-secured the Zappos passwords may have been. Notably, Zappos said that users' passwords had been stored in "cryptographically scrambled" format. "But they need to explain what they meant by 'cryptographically scrambled,'" said Baumgartner. "'Scrambled' is not common security jargon and most likely [was] tossed out by a marketing writer doing their best with the situation."

Accordingly, he said, that raises these questions: "Are they maintaining salted md5's for their password values? How about something stronger--and why not?" Zappos also prevents customers from reusing any of their previous six passwords, he said. But how does it know what those passwords were, and is it possible attackers compromised copies of those historic passwords as well?

A spokeswoman for Zappos said no additional information was available regarding how the company secures users' passwords. Zappos, meanwhile, is still working to notify customers and upgrade its non-U.S. websites to cope with an anticipated surge in website traffic and password resets.

On that front, some customers have expressed frustration with the state of Zappos' customer-notification effort, with some saying that they failed to receive the email warning about the data breach, which included password-reset instructions. Furthermore, the full extent of the breach has yet to become clear, although Zappos is likely still investigating the intrusion and awaiting a detailed digital forensic analysis.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.