Or we could just stop using passwords everywhere and not have this problem again. Anybody? Anybody?
Disclosure: I have no affiliation with LastPass beyond being a satisfied user.
When Gizmodo's database was compromised and I didn't know which password I used there, I decided to stop using the same set of passwords everyone and started generating and storing my passwords using 1Password. It's a little annoying to use on my iPhone (particularly having to type my long master password on the soft keyboard), but it's dead simple to use on the desktop and I recommend it to everyone. I still have some sites that use my old passwords, but 1Password's Smart Folders let me search my passwords for those and I plan on changing those today.
(I haven't used LastPass so I can't comment on how it compares to 1Password)
Whenever they bring up the perceived inconvenience (which goes down on the desktop with practice) I simply remind them how much time they will waste if one of their accounts is compromised.
Sure their foursquare (or pick another random service that doesn't hold EXTREMELY important data) account isn't that important but when it uses their Gmail address and has the same password they are just begging for trouble.
Also this gets them out of logging on to their Gmail and Facebook accounts from public computers. They still don't fully understand the possible problems but at least now it is such an inconvenience they just use their own devices.
How would Lastpass protect against an attacker masquerading as the third party website? (Especially considering this feature would be used when a website finds itself compromised.)
Or, as I mentioned, let's do away with passwords. Anyone can have your public key so long as your private key stays private.
As a side note, I was horrified to discover that Hertz sends passwords (as part of password recovery) in the clear. For those using Hertz, you should take the appropriate precautions.
What are the best practices you want to see a website use when storing your password?
I'm looking for the data dump right now, in case it was posted publicly--that's probably the only way I'll be able to answer my question since I doubt Zappos will cooperate :(
As someone who was just bit by the Stratfor data loss, this is the second month in a row. Fortunately my Stratfor password was worthless, but I had my credit card stolen and used to pay for video games. And now my email and street address are public information.
"dear bestnameever, i know about those high heels you bought, and i happen to know you don't have a girlfriend. $1000 in unmarked bills or we tell your father you're a cross-dresser."
Or the incredibly geeky wife who suspects her husband is showering the hot secretary with shoes and handbags, and confirms it by poring over the breached data.
Can you provide any further information that would be of interest to HN readers? If not, why do you bother posting this?
I like the tone of the blog & how forthright they have been with dealing with the issue.
That shouldn't need a +1.
Lots of room for improvement above and beyond these two points, sure, but at least they're not falling victim to the classic blunders.
Disallowing international sales means they'll probably also avoid getting involved in a land war in Asia.
Now if I can just find my iocane powder...
Still, it's going to be pretty tough getting your average customer back who hears they've been "hacked" and are afraid to create a new password. Not to mention the average customer's password is probably the same password across facebook, gmail, etc.
I am surprised that some of the big eCommerce companies still mail back the password in clear text. Just plain stupid.
Anyone could paste/screenshot/... what there is to see ?
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mailaddress, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
SECURITY PRECAUTIONS:
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com
It is probably worthwhile in these situations to provide basic implication info for laymen, i.e. implications of "your cryptographically scrambled password."
