Amazon Flaw Lets Password Variants Through

Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)

It's much worse than that

[SpammersAreScum]

Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".

Re:The UNIX crypt tool is not at fault

[Bill+Dog]

If it IS, then take the password they just used to login,

But if the problem with the system is that mixed-case and extra characters are allowed in the case of older passwords, what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down? Or accidently hit another character-generating key while fumbling for the enter key?

They'll be logged in. But not next time, because their password is not what they think it is. And even if they'd been entering it wrong for years, if they'd written down somewhere the correct one, they'd find that that also does not work. Much bewilderment and negative feelings about Amazon would ensue.