How-To Geek

No Time Like The Present To Update Your Passwords; Zappos and Compromised

We harp on password security a lot around here and for a good reason. Security breaches are frequent and the best defense is a set of strong and varied passwords. Read on for a password refresher.

If you’re a or affiliate customer you likely received an email late last night explaining that:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

Now, if you practice good password hygiene, you have nothing to worry about. You were using a single unique password for the site and even if the password file gets compromised the group responsible will find a only-for-Zappos password like “C&6!s6usWf#KvnT5”. If you’re not so good with password hygiene, the password might look more like “ThisIsTheOnlyPasswordIUseAnywhere” or, more accurately, like “balloon” or some other equally poor password.

If that’s the case, whether or not you’re using the poor passwords on a site that has been compromised or not, it’s time to start practicing good password hygiene. To that end you can get started by checking out our guide to recovering from an email password compromise (the mother of all password breaches and, even if it hasn’t happened to you, a great place to start) and our guide to getting started with LastPass password manager.

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 01/16/12

Comments (4)

  1. TheFu

    I believe the length of “ThisIsTheOnlyPasswordIUseAnywhere” would prevent a cracker from gaining access, assuming standard encryption was used. Basically, length matters most when it comes to creating passwords. The cracker doesn’t know that you didn’t use a number or symbol and after the dictionary attacks have failed, they only have brute force methods left.

    Length matters for passwords. 13+ characters not in a dictionary are the minimum, but 20+ is advisable as graphics cards become more and more powerful. I read that any 12 character password would be discovered in less than 24 hours about a year ago using GPU processing on less than a $2000 PC. It is only going to get worse, so longer passwords are important.

    Many of the time-to-crack password tables on the internet were creating assuming CPU-only methods. GPUs with over 250 pipelines are exponentially faster.

  2. Rod

    Ugh, I used Zappos YEARS ago on an old email account yet I don’t remember the information to either of them.

  3. Forensic Penguin2

    This is exactly the reason I use Password Gorilla (Win, Mc and Linux – free) to manage my passwords, it was easy to do another 16 charachter secure password. And I used a toss-away mail address.

  4. Doc

    I store my passwords in KeePass Portable. I’ve never used either service, but I’ve heard that the really secure passwords are the *longest* passwords – it would take a brute-force attack several years to generate the correct password. An 8- or 10-character password would be broken in a matter of hours, even if it was something like “aJ8!3k_f” … longer passwords are *definitely* better.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!