Despite resetting passwords and encouraging users to change their passwords on other sites, Zappos.com can still do more to secure passwords, experts said.
latest breach with online clothing and apparel retailer Zappos.com highlights
the importance of password security, according to security experts.
breached one of the company's servers in Kentucky and accessed "one or
more" pieces of personal information, including customer names, email
addresses, billing and shipping addresses, phone numbers, the last four digits
of credit card numbers, and user passwords, Zappos.com CEO Tony Hsieh said in a
Jan. 15 email sent to employees
and customers. Hsieh said credit card data was stored in a separate database
and was not breached. The passwords were "cryptographically
scrambled," Hsieh said.
immediately reset the passwords
for all customers and quickly communicated
to employees and customers about the breach, security experts said the company
should have provided additional information.
appropriate response includes more detail of 'how did they get in, where did
they go and what was accessed, seen, and removed from the network?'" Alan
Hall, security expert and director at Solera Networks, told eWEEK
Baumgartner, a senior security researcher at Kaspersky Lab, agreed, noting that
Zappos "did the right thing" by clearly communicating what data was
accessed and what was not, all of which should be "standard, timely
stuff" for breach notifications.
could still clarify details about the breach, exactly what was in the database
and what the heck they mean by 'cryptographically scrambled passwords,'"
Baumgartner wrote on the Securelist
is clear from Hsieh's statement that actual passwords were not exposed, but
"scrambled," which is not a commonly recognized security term and
does not explain what steps Zappos had taken to protect the information, according
to Baumgartner. Many experts have assumed the company meant the passwords had
that is the case, Zappos needs to disclose whether it was maintaining salted
MD5 hashes or using a stronger algorithm to protect the data, according to Baumgartner.
While MD5 is a widely used cryptographic hash function that produces a 128-bit
hash value, recent research has shown it to be vulnerable to cracking. The
United States Computer Emergency Response Team considers MD5 to be
"cryptographically broken and unsuitable for further use."
passwords do not prevent attackers from eventually recovering passwords,
especially if the users had selected weak passwords in the first place, as was
shown in an
analysis of stolen Stratfor passwords
. Using readily available cracking
software, rainbow tables and a normal desktop computer, it was possible to
obtain more than 80,000 passwords in less than 5 hours. Cheap GPU and cloud
computing resources have also made it easier to process and recover passwords
in "very short time frames," according to Baumgartner.
site operators should be "planning for the worst" and using a stronger
algorithm to secure data, Baumgartner said, especially considering how common
data breaches became in 2011.
have been many discussions about passwords and whether they should be abandoned
in favor of two-factor authentication schemes using one-time passwords or other
mechanisms. IBM recently predicted in its "5
in 5" list
that within five years, multifactor biometrics would mean
users would never have to use a password again. In contrast, Microsoft
researcher Cormac Herley
and Carleton University's Paul C. van Oorschot
said passwords are "more widely used and firmly entrenched than
ever," and will be around for a while.
password reusage is still rampant, as users select the same password on their
email, social networking platform and online banking. Zappos' Hsieh recommended
users change their passwords on other sites if it was the same as for Zappos.
breaches like this one are common; it's a good idea to make sure your passwords
are all secure, so if passwords are obtained in a data breach, hackers can't use
yours on other sites and see if it's the same," according to Intego, a Mac
reset and expired existing passwords for all 24 million customer accounts and
sent instructions on how to create a new password "to ensure a greater level
of security." The new policy required users to select a password that was
at least eight characters long, including one upper and lowercase letter and
one number or one special character. While the policy appears to be good,
Baumgartner noted that a password such as "Zappos12" would fit the
new rules and still be very weak and easily cracked with a rainbow table.
characters simply don't cut it," Baumgartner wrote, noting that there
needs to be "stronger but more practical password policies" than are
currently in place on major sites.
to Zappos policy, users cannot reuse any of the last six passwords. The email
notification to customers did not indicate whether those six passwords were
also stolen, noted Baumgartner.