[skrish]

+1 for not storing clear text passwords.

I like the tone of the blog & how forthright they have been with dealing with the issue.

[conradev]

> +1 for not storing clear text passwords.

That shouldn't need a +1.

[dredmorbius]

Considering that 90% of success is showing up, and the next 9% is avoiding obvious failure paths, Zappos is doing pretty well here.

Lots of room for improvement above and beyond these two points, sure, but at least they're not falling victim to the classic blunders.

Disallowing international sales means they'll probably also avoid getting involved in a land war in Asia.

Now if I can just find my iocane powder...

[csallen]

It shouldn't, but it's shocking how many companies don't encrypt passwords before storing them in the db.

[arnoldwh]

Agree. So many companies don't act like grown-ups and just try to cover up the problem.

Still, it's going to be pretty tough getting your average customer back who hears they've been "hacked" and are afraid to create a new password. Not to mention the average customer's password is probably the same password across facebook, gmail, etc.

[skrish]

Absolutely. The biggest risk is the shared password part. It is surprising people still do it.

I am surprised that some of the big eCommerce companies still mail back the password in clear text. Just plain stupid.

[tomjen3]

Sharing passwords will end when I don't have to remember one for every random website ever.

[MartinCron]

Zappos is always a class act. I have about 3X the shoes I otherwise would have as a result of their customer service.

[travisp]

While they do get "+1" for this, they haven't provided any further details of what exactly they did with the passwords. Did they use a salt? Was the hashing algorithm MD5, bcrypt, or something else? If they used MD5 with no salt, your password may not be much more secure than a clear text password unless it's particularly complex.