Zappos Security Breach Affects Millions; Are Passwords Necessary?

More on Password Debate

In a piece for Wired, Robert McMillan lays out our long, conflicted relationship with the password. What started as an easy solution to access our lives online has spiraled out of control. We are now forced to remember more passwords than ever, many containing nonsense symbols and a mix of capital letters and numerals. What’s more, security safeguards just don’t cut it anymore. Passwords are often the weakest link in a network, which hackers exploit regularly.

“Passwords have given websites a cheap and relatively secure way to quickly sign up millions of users, but the computer industry needs to treat them with a little more respect,” writes McMillan.

Passwords may not be going away, but users should have, AT MOST, one to remember. And that password shouldn’t be absurd — no minimum and maximum length, no required special characters, no wingdings, no caps, no numerals. Users should be able, through single sign-on, to easily access all business and personal applications used on a daily basis.

Hackers Attack Zappos, Millions Affected

If you’re one of Zappos’ 24 million users, you likely received CEO Tony Hsieh’s email over the weekend telling you that hackers breached one of the company’s servers, opening up a slew of personal information (email, shipping and billing addresses; passwords; phone numbers; last four digits of credit cards) to hackers.

Zappos hasn’t yet released the cause of the breach, but CIO Today, quoting security experts mulling the causes and consequences of the breach, noted that browsers remain a critical weak point. Another company for the timeline …

Security Breach Timeline

• January 15, 2012: Hackers access personal information from unknown number of Zappos’ 24 million users.
• JANUARY 5, 2012: 45,000 Facebook passwords compromised, mostly in the U.K. and France
• DECEMBER 14, 2011: China-backed hackers break into iBahn network, potentially accessing millions of confidential emails
• NOVEMBER 30, 2011: Duqu authors likely behind extensive C&C infrastructure wipe-outs
• NOVEMBER 10, 2011: Valve’s Steam server hacked.
• JUNE 24, 2011: Electronic Arts’ BioWare server hacked.
• JUNE 20, 2011: Sega hacked – 1.3 million users had sensitive information stolen.
• JUNE 20, 2011: Dropbox files left open due to bug.
• MAY 16, 2011: LastPass database stolen.
• May 10, 2011: Citigroup hack exposed the data of 360,000 accounts, millions stolen.
• APRIL 27, 2011: Sony PlayStation Network hacked.
• MARCH 30, 2011: Epsilon (email communications manager) had the email database for 26 companies, including Citi, Walgreens and BestBuy, stolen.