Attacks/Breaches
1/18/2012
02:11 PM
50%
50%

Zappos Breach Renews Calls For Stronger Passwords

Passwords are the go-to security technique for retailers, but businesses must balance password strength and consumer ease of use.

Are Zappos' customers' passwords safe?

On Sunday, Zappos began notifying its customers about a network intrusion that led to the theft of customers' names, addresses, email addresses, and encrypted passwords.

Because the passwords were encrypted, it's unlikely that attackers would be able to immediately decode them all. Even so, Zappos expired all customers' passwords and advised those who had reused the same password on another site to change it there immediately.

Given that warning, what's the risk of Zappos customers having their passwords cracked after the data breach? The answer to that question depends on numerous factors, including the complexity of each password, as well as whether Zappos had both salted and hashed customers' stored passwords.

Based on the Zappos password-reset process, however, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said it's likely that many customers' passwords aren't safe. "When the Zappos team forced their users to reset their passwords ... they enabled their users to provide a minimum of eight-character passwords, including one upper- and lowercase letter and one number or one special character," he said in a blog post.

[What lessons can we learn from the Zappos hack? See Zappos Breach: 8 Lessons Learned.]

"So users' [password] could look like 'Zappos12', and here lies a bigger problem. With 'rainbow tables' that have been circulating as a part of both commercial products and open-source projects discussed at major security conferences for years, this weak password scheme could be quickly cracked offline," he said. Furthermore, as demonstrated by an analysis of the passwords chosen by SonyPictures.com users, many people favor simple--and thus more easily cracked--passwords, which they reuse across sites, no doubt because they must now employ passwords for so many different sites.

It's also not clear just how well-secured the Zappos passwords may have been. Notably, Zappos said that users' passwords had been stored in "cryptographically scrambled" format. "But they need to explain what they meant by 'cryptographically scrambled,'" said Baumgartner. "'Scrambled' is not common security jargon and most likely [was] tossed out by a marketing writer doing their best with the situation."

Accordingly, he said, that raises these questions: "Are they maintaining salted md5's for their password values? How about something stronger--and why not?" Zappos also prevents customers from reusing any of their previous six passwords, he said. But how does it know what those passwords were, and is it possible attackers compromised copies of those historic passwords as well?

A spokeswoman for Zappos said no additional information was available regarding how the company secures users' passwords. Zappos, meanwhile, is still working to notify customers and upgrade its non-U.S. websites to cope with an anticipated surge in website traffic and password resets.

On that front, some customers have expressed frustration with the state of Zappos' customer-notification effort, with some saying that they failed to receive the email warning about the data breach, which included password-reset instructions. Furthermore, the full extent of the breach has yet to become clear, although Zappos is likely still investigating the intrusion and awaiting a detailed digital forensic analysis.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!