Slashdot Mirror
Amazon Flaw Lets Password Variants Through
Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)
It's the cheap ass developers fault.
The Kruger Dunning explains most post on
Is it supposed to show all of my passwords in the article? Or do you just see stars?
Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.
My password was generated using the built-in OS X password tool, so I don't have my Amazon password memorized. I looked it up in the Keychain, then changed all the lower-case letters to upper-case - Amazon let me log in.
Guess I'd better change my password!
#DeleteChrome
Luckily I am not affected. My password is 'p31men$!' and so even if there are capital variants, the use of numbers and symbols makes it very hard to crack. I am completely safe.
they obviously didn't care enough to: 1. Send out an email to all affected people AND/OR 2. Disable those people's passwords after a certain period of time, forcing them to use the forgot password link. I dunno... I personally value securitty over forcing a bunch of people to reset their passwords. SO WHAT if a few people complain? It's better that than people losing money over this. *sigh*
My password of hunter2 was not compromised.
XML is like violence. If it doesn't solve the problem, use more.
Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.
It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")
What's the threat, exactly?
I think its safe to say my password is safe
same with wellsfargo.com and its been like that for ages.
Am I too old for knowing immediately what the root cause for this was?
Shouldn't this even be considered basic knowledge for any advanced UNIX user?
That was refreshing. Now get off my lawn.
Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".
Thanks for pointing that out. Based on the summary I would have ignored this issue as my password is strong enough even without case sensitivity.
Wait, no, it's not. Plenty of case insensitive libraries out there. I know Blizzard uses one for World of Warcraft. Unless a prompt explicitly tells me that a password or even a UID IS case sensitive, I assume that it is not. Not that I would rely on my password somehow being case sensitive as protection, that's about as wise as relying on a copy/paste routine to protect you. Many fools rely on that kind of tactic, and that just makes me laugh.
You want to protect your passwords? Remember, YOU are the weak point. You are the one who does things like give them out to friends, to let them log into your account. You are the one who runs programs on your computer.
Remember it.
My amazon.com password is a dictionary word I set in, like, 1997?
Maybe it's time to change it.
So I just tried this to see if it worked and sure enough, it lets me log in. However, if I log in using "PASSWORD" I can see one set of orders. If I use "password" I get a complete different set! No wonder I have not been able to track packages from some computers, I must have miss typed my password!
Charles Schwab brokerage (think, lots of money) has the same behavior. Case-insensitive and only uses the first 8 characters. May be "had" the same behavior since I haven't checked for a while.
Amazon did not respond to a request for comment.
Try getting them to respond to a request for COMMENT, commentcomment, or comment1234.
I thought PaSswOrD was reasonably secure. How was I supposed to know it was case-insensitive?
I hear the site also accepts minor misspellings, anagrams, close synonyms and Cockney rhyming slang.
Amazon also allows multiple accounts for the same email address , as long as the passwords are unique.
A password hash is a one-way function, which means that it is impossible to re-encode passwords stored using one hash using another hash. This means that the old password hash function must still be supported until all passwords are changed.
I dont care if you can append sth to a password. Mathematically accepting some additional input to a password is not bad - you can also type additional text.
The only loss in entropy is that you dont have to guess where the user cut of something from known words. The worst case scenario would be if you make a dictionary attack, and the password is in the dictionary in a longer form you dont have to send the right length. assuming that the chosen pw must be longer than 8 characters and probably is shorter than 32characters, this saves you *at most* 5 bit of entropy, probably less for most real world cases. given that a good pw should have more than 40-48bits of entropy, loosing 5 bits wont hurt much.
The old unix crypt function (using DES encryption) has always been case sensitive, although it is limited to 8 characters... If the password is case insensitive that sounds more like LANMAN, an old password hashing function used by older versions of windows (still enabled by default in 2003 and earlier).
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Has anyone using Amazon UK found this issue? I just tried and it won't accept anything but my actual password.
Maybe they should have read the UNIX hater guide?
When you go to the password reset page on Amazon.co.uk, it doesn't appear to be a secure page. Maybe the "Save Changes" button submits via an https link, but I don't have time to go digging through the source code - that kinda defeats the whole point of the lock icon, etc, surely?
In any case, the captcha image has been "loading" for about 5 minutes now - guess everyone's trying to change their passwords?
I emailed them and got a useless cust.care reply that they will look into it. But nothing's been done, so "Abc1234" is the same as "abc1234" or "ABC1234." I use a 9-character password, not sure if these idiots use a system which only reads 6 chars!?
Let us know :)
{crypt} has only ever supported eight characters. I've run into this on older Solaris systems for years. Move up to {ssha} already.
I can verify that .. I just logged into my account with all caps and numbers trailing at the end and always get logged in :S
I just recalled that Charles Schwab (a US stockbroker company) has an 8-character password limit.
Guess what? They're also affected by the same issue.
Crap.
I wonder how much outcry there would be if these companies reset all the old user account passwords like sourceforge just did.
I am sure this is already fixed, as Amazon is very quick to dish out updates to their websites when something is not right, I guess I would have to test mine.
A similar problem resides in RealVNC viewer 3.3.7.0 this will authenticate you with half or 2 3rds of your password. Although this will jump you into a servers console, if this server isn't locked out, then vnc authenticated user will have gain full control.
for example, password of !password*22 can be authenticated by a little as !password
Thanks
Joesf