Or we could just stop using passwords everywhere and not have this problem again. Anybody? Anybody?
Disclosure: I have no affiliation with LastPass beyond being a satisfied user.
When Gizmodo's database was compromised and I didn't know which password I used there, I decided to stop using the same set of passwords everyone and started generating and storing my passwords using 1Password. It's a little annoying to use on my iPhone (particularly having to type my long master password on the soft keyboard), but it's dead simple to use on the desktop and I recommend it to everyone. I still have some sites that use my old passwords, but 1Password's Smart Folders let me search my passwords for those and I plan on changing those today.
(I haven't used LastPass so I can't comment on how it compares to 1Password)
Whenever they bring up the perceived inconvenience (which goes down on the desktop with practice) I simply remind them how much time they will waste if one of their accounts is compromised.
Sure their foursquare (or pick another random service that doesn't hold EXTREMELY important data) account isn't that important but when it uses their Gmail address and has the same password they are just begging for trouble.
Also this gets them out of logging on to their Gmail and Facebook accounts from public computers. They still don't fully understand the possible problems but at least now it is such an inconvenience they just use their own devices.
How would Lastpass protect against an attacker masquerading as the third party website? (Especially considering this feature would be used when a website finds itself compromised.)
Or, as I mentioned, let's do away with passwords. Anyone can have your public key so long as your private key stays private.
Still, the idea of a service for handling this makes sense. Rather than one based on a single vendor, a simple API for querying compromised domains would handle it. Then the lastpass extension can call that api for a list of the user's domains and see if anything needs to be changed. Being more general (just giving out information about recently compromised sites) also seems more useful, in that people would do a lot of different things with it.
Their reaction to this flaw was exemplary though, and LastPass is a lot more secure now because of it.
So I stopped using them after that incident.
It was a while ago I don't remember the particulars, but I do remember they said they were not sure if someone stole everyones password so everyone should change their master password to be safe. So I deleted my account to be safer.
Well they said that their database was compromised
I don't remember the particulars
I don't know anyone else that monitors the traffic on their network to detect unauthorized access and I know many companies that don't. That's already a huge plus and it makes me trust them with security in general all the more.
Zappos is operated completely separately from Amazon so in order to expand internationally they would have to roll their own operations internationnaly.
As a side note, I was horrified to discover that Hertz sends passwords (as part of password recovery) in the clear. For those using Hertz, you should take the appropriate precautions.
What are the best practices you want to see a website use when storing your password?
The only way it could be harmful to disclose the hashing method is if you're using an insufficient one.
That said, bcrypt and a time/attempt limited lockout should go a good ways in securing your site.
Also, are these passwords encrypted or hashed? Those two are miles away from each other and you guys are using both words nearly interchangeably. If encrypted, where is the key? Was it compromised?
I'm looking for the data dump right now, in case it was posted publicly--that's probably the only way I'll be able to answer my question since I doubt Zappos will cooperate :(
As someone who was just bit by the Stratfor data loss, this is the second month in a row. Fortunately my Stratfor password was worthless, but I had my credit card stolen and used to pay for video games. And now my email and street address are public information.
"dear bestnameever, i know about those high heels you bought, and i happen to know you don't have a girlfriend. $1000 in unmarked bills or we tell your father you're a cross-dresser."
Or the incredibly geeky wife who suspects her husband is showering the hot secretary with shoes and handbags, and confirms it by poring over the breached data.
On one end of the spectrum, I envision the same salt used for every user, allowing for the easy and effective creation of rainbow tables. On the other end, I envision unique salts with many bits of entropy for each user, making rainbow tables technologically infeasible.
Can you provide any further information that would be of interest to HN readers? If not, why do you bother posting this?
I like the tone of the blog & how forthright they have been with dealing with the issue.
That shouldn't need a +1.
Lots of room for improvement above and beyond these two points, sure, but at least they're not falling victim to the classic blunders.
Disallowing international sales means they'll probably also avoid getting involved in a land war in Asia.
Now if I can just find my iocane powder...
Still, it's going to be pretty tough getting your average customer back who hears they've been "hacked" and are afraid to create a new password. Not to mention the average customer's password is probably the same password across facebook, gmail, etc.
I am surprised that some of the big eCommerce companies still mail back the password in clear text. Just plain stupid.
Anyone could paste/screenshot/... what there is to see ?
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mailaddress, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at firstname.lastname@example.org
It is probably worthwhile in these situations to provide basic implication info for laymen, i.e. implications of "your cryptographically scrambled password."