Attacks/Breaches
1/18/2012
02:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Zappos Breach Renews Calls For Stronger Passwords

Passwords are the go-to security technique for retailers, but businesses must balance password strength and consumer ease of use.

Are Zappos' customers' passwords safe?

On Sunday, Zappos began notifying its customers about a network intrusion that led to the theft of customers' names, addresses, email addresses, and encrypted passwords.

Because the passwords were encrypted, it's unlikely that attackers would be able to immediately decode them all. Even so, Zappos expired all customers' passwords and advised those who had reused the same password on another site to change it there immediately.

Given that warning, what's the risk of Zappos customers having their passwords cracked after the data breach? The answer to that question depends on numerous factors, including the complexity of each password, as well as whether Zappos had both salted and hashed customers' stored passwords.

Based on the Zappos password-reset process, however, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said it's likely that many customers' passwords aren't safe. "When the Zappos team forced their users to reset their passwords ... they enabled their users to provide a minimum of eight-character passwords, including one upper- and lowercase letter and one number or one special character," he said in a blog post.

[What lessons can we learn from the Zappos hack? See Zappos Breach: 8 Lessons Learned.]

"So users' [password] could look like 'Zappos12', and here lies a bigger problem. With 'rainbow tables' that have been circulating as a part of both commercial products and open-source projects discussed at major security conferences for years, this weak password scheme could be quickly cracked offline," he said. Furthermore, as demonstrated by an analysis of the passwords chosen by SonyPictures.com users, many people favor simple--and thus more easily cracked--passwords, which they reuse across sites, no doubt because they must now employ passwords for so many different sites.

It's also not clear just how well-secured the Zappos passwords may have been. Notably, Zappos said that users' passwords had been stored in "cryptographically scrambled" format. "But they need to explain what they meant by 'cryptographically scrambled,'" said Baumgartner. "'Scrambled' is not common security jargon and most likely [was] tossed out by a marketing writer doing their best with the situation."

Accordingly, he said, that raises these questions: "Are they maintaining salted md5's for their password values? How about something stronger--and why not?" Zappos also prevents customers from reusing any of their previous six passwords, he said. But how does it know what those passwords were, and is it possible attackers compromised copies of those historic passwords as well?

A spokeswoman for Zappos said no additional information was available regarding how the company secures users' passwords. Zappos, meanwhile, is still working to notify customers and upgrade its non-U.S. websites to cope with an anticipated surge in website traffic and password resets.

On that front, some customers have expressed frustration with the state of Zappos' customer-notification effort, with some saying that they failed to receive the email warning about the data breach, which included password-reset instructions. Furthermore, the full extent of the breach has yet to become clear, although Zappos is likely still investigating the intrusion and awaiting a detailed digital forensic analysis.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.