Zappos Breach Illustrate the Need for Stronger Password Rules

The latest breach with online clothing and apparel retailer Zappos.com highlights the importance of password security, according to security experts.

Cyber-attackers breached one of the company's servers in Kentucky and accessed "one or more" pieces of personal information, including customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and user passwords, Zappos.com CEO Tony Hsieh said in a Jan. 15 email sent to employees and customers. Hsieh said credit card data was stored in a separate database and was not breached. The passwords were "cryptographically scrambled," Hsieh said.

While Zapos.com immediately reset the passwords for all customers and quickly communicated to employees and customers about the breach, security experts said the company should have provided additional information.

"An appropriate response includes more detail of 'how did they get in, where did they go and what was accessed, seen, and removed from the network?'" Alan Hall, security expert and director at Solera Networks, told eWEEK.

Kurt Baumgartner, a senior security researcher at Kaspersky Lab, agreed, noting that Zappos "did the right thing" by clearly communicating what data was accessed and what was not, all of which should be "standard, timely stuff" for breach notifications.

"Zappos could still clarify details about the breach, exactly what was in the database and what the heck they mean by 'cryptographically scrambled passwords,'" Baumgartner wrote on the Securelist blog.

It is clear from Hsieh's statement that actual passwords were not exposed, but "scrambled," which is not a commonly recognized security term and does not explain what steps Zappos had taken to protect the information, according to Baumgartner. Many experts have assumed the company meant the passwords had been hashed.

If that is the case, Zappos needs to disclose whether it was maintaining salted MD5 hashes or using a stronger algorithm to protect the data, according to Baumgartner. While MD5 is a widely used cryptographic hash function that produces a 128-bit hash value, recent research has shown it to be vulnerable to cracking. The United States Computer Emergency Response Team considers MD5 to be "cryptographically broken and unsuitable for further use."

Hashed passwords do not prevent attackers from eventually recovering passwords, especially if the users had selected weak passwords in the first place, as was shown in an analysis of stolen Stratfor passwords. Using readily available cracking software, rainbow tables and a normal desktop computer, it was possible to obtain more than 80,000 passwords in less than 5 hours. Cheap GPU and cloud computing resources have also made it easier to process and recover passwords in "very short time frames," according to Baumgartner.

Major site operators should be "planning for the worst" and using a stronger algorithm to secure data, Baumgartner said, especially considering how common data breaches became in 2011.

There have been many discussions about passwords and whether they should be abandoned in favor of two-factor authentication schemes using one-time passwords or other mechanisms. IBM recently predicted in its "5 in 5" list that within five years, multifactor biometrics would mean users would never have to use a password again. In contrast, Microsoft researcher Cormac Herley and Carleton University's Paul C. van Oorschot said passwords are "more widely used and firmly entrenched than ever," and will be around for a while.

Unfortunately, password reusage is still rampant, as users select the same password on their email, social networking platform and online banking. Zappos' Hsieh recommended users change their passwords on other sites if it was the same as for Zappos.

"Data breaches like this one are common; it's a good idea to make sure your passwords are all secure, so if passwords are obtained in a data breach, hackers can't use yours on other sites and see if it's the same," according to Intego, a Mac security vendor.

Zappos.com reset and expired existing passwords for all 24 million customer accounts and sent instructions on how to create a new password "to ensure a greater level of security." The new policy required users to select a password that was at least eight characters long, including one upper and lowercase letter and one number or one special character. While the policy appears to be good, Baumgartner noted that a password such as "Zappos12" would fit the new rules and still be very weak and easily cracked with a rainbow table.

"Eight characters simply don't cut it," Baumgartner wrote, noting that there needs to be "stronger but more practical password policies" than are currently in place on major sites.

According to Zappos policy, users cannot reuse any of the last six passwords. The email notification to customers did not indicate whether those six passwords were also stolen, noted Baumgartner.