Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking

    Zappos Breach Illustrate the Need for Stronger Password Rules

    By
    Fahmida Y. Rashid
    -
    January 17, 2012
    Share
    Facebook
    Twitter
    Linkedin

      The latest breach with online clothing and apparel retailer Zappos.com highlights the importance of password security, according to security experts.

      Cyber-attackers breached one of the company’s servers in Kentucky and accessed “one or more” pieces of personal information, including customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and user passwords, Zappos.com CEO Tony Hsieh said in a Jan. 15 email sent to employees and customers. Hsieh said credit card data was stored in a separate database and was not breached. The passwords were “cryptographically scrambled,” Hsieh said.

      While Zapos.com immediately reset the passwords for all customers and quickly communicated to employees and customers about the breach, security experts said the company should have provided additional information.

      “An appropriate response includes more detail of ‘how did they get in, where did they go and what was accessed, seen, and removed from the network?'” Alan Hall, security expert and director at Solera Networks, told eWEEK.

      Kurt Baumgartner, a senior security researcher at Kaspersky Lab, agreed, noting that Zappos “did the right thing” by clearly communicating what data was accessed and what was not, all of which should be “standard, timely stuff” for breach notifications.

      “Zappos could still clarify details about the breach, exactly what was in the database and what the heck they mean by ‘cryptographically scrambled passwords,'” Baumgartner wrote on the Securelist blog.

      It is clear from Hsieh’s statement that actual passwords were not exposed, but “scrambled,” which is not a commonly recognized security term and does not explain what steps Zappos had taken to protect the information, according to Baumgartner. Many experts have assumed the company meant the passwords had been hashed.

      If that is the case, Zappos needs to disclose whether it was maintaining salted MD5 hashes or using a stronger algorithm to protect the data, according to Baumgartner. While MD5 is a widely used cryptographic hash function that produces a 128-bit hash value, recent research has shown it to be vulnerable to cracking. The United States Computer Emergency Response Team considers MD5 to be “cryptographically broken and unsuitable for further use.”

      Hashed passwords do not prevent attackers from eventually recovering passwords, especially if the users had selected weak passwords in the first place, as was shown in an analysis of stolen Stratfor passwords. Using readily available cracking software, rainbow tables and a normal desktop computer, it was possible to obtain more than 80,000 passwords in less than 5 hours. Cheap GPU and cloud computing resources have also made it easier to process and recover passwords in “very short time frames,” according to Baumgartner.

      Major site operators should be “planning for the worst” and using a stronger algorithm to secure data, Baumgartner said, especially considering how common data breaches became in 2011.

      There have been many discussions about passwords and whether they should be abandoned in favor of two-factor authentication schemes using one-time passwords or other mechanisms. IBM recently predicted in its “5 in 5” list that within five years, multifactor biometrics would mean users would never have to use a password again. In contrast, Microsoft researcher Cormac Herley and Carleton University’s Paul C. van Oorschot said passwords are “more widely used and firmly entrenched than ever,” and will be around for a while.

      Unfortunately, password reusage is still rampant, as users select the same password on their email, social networking platform and online banking. Zappos’ Hsieh recommended users change their passwords on other sites if it was the same as for Zappos.

      “Data breaches like this one are common; it’s a good idea to make sure your passwords are all secure, so if passwords are obtained in a data breach, hackers can’t use yours on other sites and see if it’s the same,” according to Intego, a Mac security vendor.

      Zappos.com reset and expired existing passwords for all 24 million customer accounts and sent instructions on how to create a new password “to ensure a greater level of security.” The new policy required users to select a password that was at least eight characters long, including one upper and lowercase letter and one number or one special character. While the policy appears to be good, Baumgartner noted that a password such as “Zappos12” would fit the new rules and still be very weak and easily cracked with a rainbow table.

      “Eight characters simply don’t cut it,” Baumgartner wrote, noting that there needs to be “stronger but more practical password policies” than are currently in place on major sites.

      According to Zappos policy, users cannot reuse any of the last six passwords. The email notification to customers did not indicate whether those six passwords were also stolen, noted Baumgartner.

      Avatar
      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×