Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Flaw Lets Password Variants Through

Posted by timothy on from the liberal-in-what-you-accept-but-not-here dept.

Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)

5 of 159 comments (clear)

  1. The UNIX crypt tool is not at fault by geekoid · · Score: 3, Insightful

    It's the cheap ass developers fault.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  2. Well I'll be damned.... by artor3 · · Score: 4, Insightful

    Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

    1. Re:Well I'll be damned.... by bbqsrc · · Score: 3, Insightful

      Now they should consider implementing a 'set new password on next login' rule to rectify this before someone gets screwed over and is enraged.

      --
      Disagree != mod troll.
    2. Re:Well I'll be damned.... by KiloByte · · Score: 3, Insightful

      Or at the very least, update to a semi-modern hash on the next login, when the unhashed version will be known. Since they, like most web pages, don't use a challenge-response scheme but transmit the password as-is (at least over SSL, unlike Facebook's default), this is a trivial thing to do.

      Forcing a password change would bring some security, but they're too afraid to spook mrs May type users for that.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  3. Why exactly is this a problem? by Man+On+Pink+Corner · · Score: 4, Insightful

    Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.

    It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")

    What's the threat, exactly?