Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Flaw Lets Password Variants Through

Posted by timothy on from the liberal-in-what-you-accept-but-not-here dept.

Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)

118 of 159 comments (clear)

  1. The UNIX crypt tool is not at fault by geekoid · · Score: 3, Insightful

    It's the cheap ass developers fault.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    1. Re:The UNIX crypt tool is not at fault by Culture20 · · Score: 2

      Solaris nisplus has a history of only dealing with the first eight characters for passwords, but if this is true, it means they are running a _very_ old system.
      They might also be using single-DES. http://en.wikipedia.org/wiki/Crypt_(Unix)#Traditional_DES-based_scheme

    2. Re:The UNIX crypt tool is not at fault by icebraining · · Score: 1

      What's more likely is that they were running a very old system, and have passwords from those times still in the database; these are usually upgraded when the user logs in again, but some people never logged in again.

      --
      Dilbert RSS feed
    3. Re:The UNIX crypt tool is not at fault by stoborrobots · · Score: 1

      I remember that crypt used to only care about the first 8 characters, but I don't remember anything about it being case insensitive... Where did that come from?

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    4. Re:The UNIX crypt tool is not at fault by nxtw · · Score: 1

      What's more likely is that they were running a very old system, and have passwords from those times still in the database; these are usually upgraded when the user logs in again, but some people never logged in again.

      If they have stored truncated case insensitive passwords or hashes, how do they know what users' correct passwords are? Should they reset users' passwords to the first password they type that matches the hash? No, because then a typo (accidental case mismatch or extra/missing/wrong characters after the eighth) would result in the user's password just being wrong.

      This is why long-time and frequent Amazon users are still affected if they've not changed their password recently.

    5. Re:The UNIX crypt tool is not at fault by mysidia · · Score: 2

      It's the cheap ass developers fault.

      And it continues to be their fault. They can fix this easily.

      Whenever a user logs in... check if their password is stored using crypt(). If it IS, then take the password they just used to login, and compute a stronger blowfish/salted md5 hash. Replace the crypted password with the strong hash.

      No reason they couldn't have done that when they first introduced stronger password hashing.

    6. Re:The UNIX crypt tool is not at fault by Bill+Dog · · Score: 3, Interesting

      If it IS, then take the password they just used to login,

      But if the problem with the system is that mixed-case and extra characters are allowed in the case of older passwords, what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down? Or accidently hit another character-generating key while fumbling for the enter key?

      They'll be logged in. But not next time, because their password is not what they think it is. And even if they'd been entering it wrong for years, if they'd written down somewhere the correct one, they'd find that that also does not work. Much bewilderment and negative feelings about Amazon would ensue.

      --
      Attention zealots and haters: 00100 00100
    7. Re:The UNIX crypt tool is not at fault by mysidia · · Score: 3, Informative

      what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down

      Unix crypt() is NOT case-insensitive. If the Amazon passwords are case-insensitive due to crypt, then it is due to them converting the field to all lowercase or all uppercase before passing the input to crypt(). They could continue to do so; although, case-insensitive was inadvisable in the first place, they would have painted them into a corner -- however, they can still prompt the user to change their password after a successful login, and make the pw change mandatory.

    8. Re:The UNIX crypt tool is not at fault by __aaxtnf2500 · · Score: 1

      The stored password hash is of a lower case input string. The original password could have any permutation of upper/lower letters but all of these would map to the same hash. The password system must request the password again, because the number of input strings that will hash properly is > 1. Whose fault it is has nothing to do with his point. You can't just take the password that resulted in successful login and rehash it, because the mapping is not injective.

    9. Re:The UNIX crypt tool is not at fault by thePig · · Score: 1

      No - this is a basic testcase for any login scenario - the person who is at fault is the tester

      --
      rajmohan_h@yahoo.com
    10. Re:The UNIX crypt tool is not at fault by Z00L00K · · Score: 1

      And the person that did write the specification of how it should be done.

      Assuming that there are specifications.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    11. Re:The UNIX crypt tool is not at fault by mysidia · · Score: 1

      You can't just take the password that resulted in successful login and rehash it, because the mapping is not injective.

      Yes, you can.... it will just make the other possible passwords invalid after next successful login.

      Then the user can request a password reset using the standard procedure, or sign up for a new account if necessary.

      Last I checked Amazon allows multiple accounts to exist with the same e-mail address and different passwords.

    12. Re:The UNIX crypt tool is not at fault by TheMidget · · Score: 1

      but I don't remember anything about it being case insensitive... Where did that come from?

      Probably some windows-head throwing in an extra toupper() before passing on the password to crypt().

      Problem is, even after fixing this for new passwords, they can't change it for old passwords, or they'll lock out old accounts for which they don't have the original capitalization...

    13. Re:The UNIX crypt tool is not at fault by hicham · · Score: 1

      of course! nothing the holy almighty unix does is wrong! unix can do no wrong! PS. this applies to linux too, although they're NOT UNIX (tm). however, if windows contained the unsecure LMHASH, it was microsofts fault to the bone! them fuken a55hats, not respecting our security needs!

    14. Re:The UNIX crypt tool is not at fault by kcitren · · Score: 1

      And then they have to use the lost password function that every website in existence has. The horror!

    15. Re:The UNIX crypt tool is not at fault by __aaxtnf2500 · · Score: 1

      Yeah it's a much better idea to lock the user's account out than to just conveniently allow them to change it.
      Why not just lock all the accounts?
      What is the point of allowing them to log in once and lock the account?
      Glad you don't develop for any systems I use.

    16. Re:The UNIX crypt tool is not at fault by Bill+Dog · · Score: 1

      But given that they didn't lose their password, it would look to them that Amazon did, which would not inspire confidence in placing future orders. So the "horror" is not in getting back into the system, but what the user would think of the system if this changeover was handled poorly.

      --
      Attention zealots and haters: 00100 00100
    17. Re:The UNIX crypt tool is not at fault by Phopojijo · · Score: 1

      Unless they typo either by case or too late in the password... didn't realize it... and the typo is considered your real password... and the time after they try to login they wonder why Amazon isn't letting them in.

      But yeah they could have easily *told* us upon login "change your password now as we've switched to a new encryption method".

    18. Re:The UNIX crypt tool is not at fault by aiht · · Score: 1

      Because *n?x sucks.

      Hey! You might want to tighten up your regexp there, pal!
      *waves a large trout menacingly*

      - Unhygienix

  2. Uhm... by Anonymous Coward · · Score: 5, Funny

    Is it supposed to show all of my passwords in the article? Or do you just see stars?

    1. Re:Uhm... by SpooForBrains · · Score: 3, Funny

      I see Hunter2

      --
      "The dew has clearly fallen with a particularly sickening thud this morning"
    2. Re:Uhm... by bhcompy · · Score: 1, Informative

      /oblig

      [Cthon98] hey, if you type in your pw, it will show as stars
      [Cthon98] ********* see!
      [AzureDiamond] hunter2
      [AzureDiamond] doesnt look like stars to me
      [Cthon98] [AzureDiamond] *******
      [Cthon98] thats what I see
      [AzureDiamond] oh, really?
      [Cthon98] Absolutely
      [AzureDiamond] you can go hunter2 my hunter2-ing hunter2
      [AzureDiamond] haha, does that look funny to you?
      [Cthon98] lol, yes. See, when YOU type hunter2, it shows to us as *******
      [AzureDiamond] thats neat, I didnt know IRC did that
      [Cthon98] yep, no matter how many times you type hunter2, it will show to us as *******
      [AzureDiamond] awesome!
      [AzureDiamond] wait, how do you know my pw?
      [Cthon98] er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
      [AzureDiamond] oh, ok.

    3. Re:Uhm... by lul_wat · · Score: 1

      Wow you must have the same password as them, I just see ********

      --
      Divide a cake by zero. Is it still a cake?
    4. Re:Uhm... by Z00L00K · · Score: 1

      What's this thread about I only see *-s?

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    5. Re:Uhm... by deek · · Score: 1

        http://bash.org/?244321

        While you're there, check out the top few hundred quotes. You will laugh, you will cry.

    6. Re:Uhm... by Quirkz · · Score: 1

      Those aren't stars. Read up on your Vonnegut. Particularly 'Breakfast of Champions.'

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  3. Well I'll be damned.... by artor3 · · Score: 4, Insightful

    Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

    1. Re:Well I'll be damned.... by bbqsrc · · Score: 3, Insightful

      Now they should consider implementing a 'set new password on next login' rule to rectify this before someone gets screwed over and is enraged.

      --
      Disagree != mod troll.
    2. Re:Well I'll be damned.... by tool462 · · Score: 1

      Ditto. But on the plus side, it did give me a reason to change my password to something much stronger than it used to be.

    3. Re:Well I'll be damned.... by roc97007 · · Score: 1

      Be damned. Same here. Exactly.

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    4. Re:Well I'll be damned.... by KiloByte · · Score: 3, Insightful

      Or at the very least, update to a semi-modern hash on the next login, when the unhashed version will be known. Since they, like most web pages, don't use a challenge-response scheme but transmit the password as-is (at least over SSL, unlike Facebook's default), this is a trivial thing to do.

      Forcing a password change would bring some security, but they're too afraid to spook mrs May type users for that.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:Well I'll be damned.... by HeronBlademaster · · Score: 1

      This is the solution Amazon will give you if you contact them about it. (The reasons this situation arose are, of course, historical. It's the sort of thing that can happen if you want to improve the way you store passwords, but don't want to prevent existing customers from logging in.)

      This issue only affects people who have not changed their account password for something like five years.

    6. Re:Well I'll be damned.... by AmberBlackCat · · Score: 1

      Or should we all buy a bunch of stuff and swear somebody else did it?

    7. Re:Well I'll be damned.... by mlts · · Score: 1

      This. There are still a lot of UNIX boxes out which are still using crypt(3), so they are using 8 characters max. There are only two fixes that can be done on this:

      1: Force a password change to 8+ characters.
      2: Ask a challenge question, such as an address stored on the account, or credit card used.

    8. Re:Well I'll be damned.... by Skater · · Score: 1

      Here's what makes me wonder. I've been following this thread on thedailywtf.com about password stupidities, and someone in that list mentioned this very issue on 1/8. Now I see it on reddit and Slashdot...

    9. Re:Well I'll be damned.... by mysidia · · Score: 1

      You don't know the unhashed version for sure. What if there was a difference in capitalization, or a stray character appended to the end of a password?

      On first login you generate the strong hash and store it in an auxillary database field.

      You store both the strong hash and the weak crypt() hash side by side; and on the second login you replace the old crypt() hash. Alternatively... you prompt them to enter a new password twice on the first login (which can be the same or different from the old one).

    10. Re:Well I'll be damned.... by Blig · · Score: 1

      Ditto. But on the plus side, it did give me a reason to change my password to something much stronger than it used to be.

      Agreed. Did so here too.

    11. Re:Well I'll be damned.... by LO0G · · Score: 1

      When Microsoft did essentially the same thing it was touted (and is still being touted) as being an example of why Microsoft doesn't get security.... Somehow it was inexcusable to make this mistake in 1987 (when the LM hash was invented) but it's "ok" to do it in 2011?

      Just sayin'

    12. Re:Well I'll be damned.... by HeronBlademaster · · Score: 1

      I didn't say it's ok to do ;) Besides, they fixed it. If you reset your password, the issue goes away. I don't really see what more you want.

    13. Re:Well I'll be damned.... by LO0G · · Score: 1

      I'm not commenting on Amazon's actions - they need to do more (proactively warning customers with really old passwords would be a good start) but it's good that the fix is easy.

      I was making a comment about the double standard implicit in the thread - there are a lot of "it's ok that Amazon screwed up here because it's easy to make such a mistake" attitude. On the other hand, 20+ years ago MSFT made essentially the same mistake (and fixed it 15+ years ago) and it's still being used as an example of why "Microsoft fundamentally doesn't get security".

      In hindsight, I probably shouldn't have picked on your comment to mention it - your response was in fact informative and if I had mod points (and I hadn't commented) I'd have modded it up.

    14. Re:Well I'll be damned.... by Bert64 · · Score: 1

      MS still don't get it, google for "pass the hash"... It doesn't matter how strong your password or encryption is if you can authenticate using the hash.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    15. Re:Well I'll be damned.... by JamesP · · Score: 1

      Yeah, I'm not sure how I can try that if my password is 12345678 I mean, I can't make it go caps...

      --
      how long until /. fixes commenting on Chrome?
    16. Re:Well I'll be damned.... by LO0G · · Score: 1

      Pass the hash - you mean the attack technique that Microsoft fixed in Windows 2000 with the addition of Kerberos? You're right that Microsoft didn't stop using the weak NTLM hashes until Windows Vista, but it's not like Microsoft hasn't offered a solution for over 10 years.

      If you want to pick on Microsoft for stupid security decisions, instead of pass the hash, why not pick on credential reflection attacks. They're a much better example of Microsoft being clueless (or more accurately, people who depended on integrated windows authentication being clueless, Microsoft included).

    17. Re:Well I'll be damned.... by TheMidget · · Score: 1

      You store both the strong hash and the weak crypt() hash side by side; and on the second login you replace the old crypt() hash.

      But only if second login matches, obviously. Pretty smart.

      Alternatively... you prompt them to enter a new password twice on the first login (which can be the same or different from the old one).

      Would needlessly worry the users.

    18. Re:Well I'll be damned.... by mysidia · · Score: 1

      Would needlessly worry the users.

      It's not needless, since their password is stored insecurely.

      You can avoid worrying them by concisely explaining what it is about.

    19. Re:Well I'll be damned.... by Bert64 · · Score: 1

      They still use NTLM, that is their strongest hash type... Lanman is the even weaker one that was disabled by default in vista.

      Kerberos is only used in an active directory setup, and only seems to be used when a user logs in on a workstation to initially authenticate to the domain, it still seems to use ntlm for virtually everything else and i've never seen it configured differently.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    20. Re:Well I'll be damned.... by LO0G · · Score: 1

      Pass the hash is only relevant in single sign-on environments (because the hash is password equivilant). For Microsoft that means domain joined, and if you're domain joined you use Kerberos (unless you have legacy NT4 machines on your network, in which case you have bigger issues than pass-the-hash attacks).

      In non domain environments, each machine has its own account database. Since the pass-the-hash attacks all appear to require that you have full access to the account database, all you're doing is getting a hash for something that's only valid on the current machine and that you already can access.

    21. Re:Well I'll be damned.... by Bert64 · · Score: 1

      Then how do you configure systems which are part of a domain to only support kerberos? I've _NEVER_ seen a setup where hash passing didn't work..

      Also in 99% of cases, if you take the local hash from one workstation it works on all the others (built from the same image) anyway, tho this is admittedly due to poor configuration.

      There really is no excuse for a hash to be usable as a password equivalent under any circumstances, this completely defeats the point of storing it hashed in the first place.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    22. Re:Well I'll be damned.... by LO0G · · Score: 1

      Your question stumped me, so I asked the experts. It turns out that it *is* possible to disable NTLM in Windows 7/Server 2008 R2 with the "Restrict NTLM" option. But my expert pointed out that enabling this option isn't sufficient to fix pass-the-hash attacks. It turns out that pass-the-hash attacks (or rather pass-the-tgt attacks) also can work against Kerberos, it's just that there aren't any tools available to mount them. But the attack works.

      Digging in deeper, the only reason Windows is considered vulnerable to pass-the-hash is that Windows is the only major OS where tools to automate pass-the-hash attacks are available. Every major OS out there is vulnerable to pass-the-hash attacks, the issue isn't unique to Microsoft (and thus the existance of pass-the-hash attacks not because 'microsoft developers are clueless').

      One other thought: pass-the-hash attacks require that the local user be an administrator. If you want to defeat pass-the-hash attacks, don't allow your users to be local administrators. Microsoft's best practices have strongly recommended that users not run as administrators since well before Windows 2000. And to preempt your next question: you're right, Microsoft only made it possible for users to run as non-admins in Windows XP and even then it was challenging. It wasn't until Windows Vista that they enabled something that resembled standard-users as the default (which in turn forced software developers to change their applications so that they'll run as standard users).

    23. Re:Well I'll be damned.... by alexo · · Score: 1

      Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

      While trying to do the same, I noticed that amazon.ca did not have this problem.

  4. Just tried it, and they're right by 93+Escort+Wagon · · Score: 1

    My password was generated using the built-in OS X password tool, so I don't have my Amazon password memorized. I looked it up in the Keychain, then changed all the lower-case letters to upper-case - Amazon let me log in.

    Guess I'd better change my password!

    --
    #DeleteChrome
  5. Not concerned at all. by Anonymous Coward · · Score: 1

    Luckily I am not affected. My password is 'p31men$!' and so even if there are capital variants, the use of numbers and symbols makes it very hard to crack. I am completely safe.

    1. Re:Not concerned at all. by Golddess · · Score: 1

      Your account name is your email address. While it may be true that there are more password variants than email address variants, there's still a heck of a lot of email address variants. You'd prolly have better luck just trying "password" on every single email address variant.

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
  6. So, despite knowing it was a problem... by RobbieThe1st · · Score: 1

    they obviously didn't care enough to: 1. Send out an email to all affected people AND/OR 2. Disable those people's passwords after a certain period of time, forcing them to use the forgot password link. I dunno... I personally value securitty over forcing a bunch of people to reset their passwords. SO WHAT if a few people complain? It's better that than people losing money over this. *sigh*

    1. Re:So, despite knowing it was a problem... by geekoid · · Score: 2

      I have an account and I don't care. Seriously the threat here is only in the most technical case. IN practicality it's not really a big deal.

      I don't think they should care about case anyways.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    2. Re:So, despite knowing it was a problem... by rsborg · · Score: 4, Informative

      Can someone get down off their high horse long enough to explain just how this was a poor security practice on Amazon's part?

      Read the article... this isn't a huge flaw, just one that reduces the complexity of cracking an existing password.

      If someone manages to break into Amazon (or do an inside job), they could theoretically steal a LOT of passwords (mine was impacted prior to changing it just now) by downloading the database and running a simple rainbow table against it.... given that crypt limited the length to 8 and they case-insensitized the passwords, that's quite easy to crack even at 8 characters.

      Cracked password means likely 1 or more credit card numbers per account compromised, which is a decent pay-off.

      Furthermore there is the security issue of password re-use wherein an Amazon account would give an email address, and the attacker could try the email address of the account with the same password.

      --
      Make sure everyone's vote counts: Verified Voting
    3. Re:So, despite knowing it was a problem... by hawguy · · Score: 1

      Cracked password means likely 1 or more credit card numbers per account compromised, which is a decent pay-off.

      I don't see how a hacked account leads to a compromised credit card number. My full credit card number is not visible to me on Amazon, and if I try to ship an order to a new address, it asks for CC number again (or maybe just the card verification code).

      So the worst that could happen would be that someone would order 100 copies of Sarah Palin's book and have them shipped to my home address.

    4. Re:So, despite knowing it was a problem... by hawguy · · Score: 1

      When what you usually order is 100 vibrating butt plugs?

      Amazon sells the vibrating ones?! Wish I'd know that before my last order!

    5. Re:So, despite knowing it was a problem... by TheLink · · Score: 1

      It's not a big deal.

      The practice of stupid security questions is far worse, and seems to be about as common if not more.

      Those reduce the security for "normal" users more than passwords being case insensitive and truncated to 8 characters.

      --
    6. Re:So, despite knowing it was a problem... by Cato · · Score: 1

      Mod parent up - grabbing the whole encrypted password list is often surprisingly easy with SQL injection attacks, unfortunately. This is also how some spammers get email addresses from any site that records them and has a suitable SQL injection vulnerability.

    7. Re:So, despite knowing it was a problem... by Bert64 · · Score: 1

      A rainbow table wouldn't be feasible against crypt() because the passwords are salted... Rainbow tables are typically used against hashes which do not use salts, like plain md5 (commonly used in webapps, modern unixes can use bsd-md5 which is salted), lanman/ntlm (as used by windows, lanman is deprecated) etc..

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  7. Thankfully... by Junta · · Score: 4, Funny

    My password of hunter2 was not compromised.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Thankfully... by yanyan · · Score: 1

      Hey that's my password, you insensitive clod!

    2. Re:Thankfully... by smellotron · · Score: 3, Funny

      Hey that's my ********, you insensitive clod!

      What?

  8. Why exactly is this a problem? by Man+On+Pink+Corner · · Score: 4, Insightful

    Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.

    It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")

    What's the threat, exactly?

    1. Re:Why exactly is this a problem? by Timmmm · · Score: 1

      I discovered this years ago. I assumed it was deliberate to make logging in on phones easier...

      And I agree, I can't really see a situation where this matters.

    2. Re:Why exactly is this a problem? by Facegarden · · Score: 4, Informative

      Any time a system will accept multiple entries for one password, the number of guesses an intruder has to make goes down.

      This is generally considered bad.

      You should never allow bad logins just to make it easier for people to log in when they can't recall their password, that's the wrong way to do it. You should provide an easy way for them to reset their password, not reduce your security across the board (which means password reset mechanisms must be carefully designed as well).

      But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

      Simply put, you want passwords to be as secure as you can, limited by your users ability to remember their password. And don't cater to the users who haven't logged in in 3 years, cater to the users who log in every day - keep things secure for them.

      Just imagine how many people might use their last name as a password, or their last name plus their birthday. Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.

      And for what its worth, I'm blown away that this isn't perfectly clear to every single Slashdot reader.
      -Taylor

      --
      Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
    3. Re:Why exactly is this a problem? by MichaelSmith · · Score: 5, Funny

      Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.

      --
      http://michaelsmith.id.au
    4. Re:Why exactly is this a problem? by Man+On+Pink+Corner · · Score: 1

      But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

      Statistics does not work that way. As long as we're making up numbers, I'll guess that 0.0001% of those 1000 users will ever have a "guess the password" attack launched against their account.

      This is an easy trap to fall into, admittedly. It usually comes up in pharmaceutical trials, where if you actually run the numbers on a new wonder drug, you discover it costs like $50,000,000 for every heart attack or stroke it prevents.

      Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.

      Weak password is weak. The actual odds of a successful attack are not affected significantly by a fuzzy match.

      I could see it making life easier for crackers if the whole database escapes into the wild, of course... but that's another case where the real weakness has nothing to do with the matching algorithm.

    5. Re:Why exactly is this a problem? by blibbo · · Score: 1

      I get your point, but you're exaggerating.

      Let's say the attacker could access 100% of accounts, If he can now access 100.01% of accounts, you've put 1000 more accounts at risk. Except those accounts don't exist. That's pretty preposterous, so try the math with 50% of accounts. Pretty sure it comes to less than 1000 people.

      Also Smith will not be the same as Smith67. Smithers would have been a better example. As per the article it's only after 8 characters that the passwords truncate

    6. Re:Why exactly is this a problem? by yuhong · · Score: 1

      Yea, system compromises can and do happen, and a weak password hash is going to cause trouble in case of such a compromise.

    7. Re:Why exactly is this a problem? by noidentity · · Score: 1

      What do you mean, is it common for people to know your name?

      - Rumplestiltskin

    8. Re:Why exactly is this a problem? by rvw · · Score: 1

      Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.

      Well at least your wife is not known under five names.

  9. 5f4dcc3b5aa765d61d8327deb882cf99 by metalmaster · · Score: 3, Funny

    I think its safe to say my password is safe

    1. Re:5f4dcc3b5aa765d61d8327deb882cf99 by sltd · · Score: 1

      Not anymore!

    2. Re:5f4dcc3b5aa765d61d8327deb882cf99 by Spykk · · Score: 1

      Don't you know that md5 isn't safe? You should use sha256 instead: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

    3. Re:5f4dcc3b5aa765d61d8327deb882cf99 by metalmaster · · Score: 1

      aww.....i guess you didnt see ****?

    4. Re:5f4dcc3b5aa765d61d8327deb882cf99 by Blig · · Score: 1

      Don't you know that md5 isn't safe? You should use sha256 instead:

      Bah, amateurs! ROT13 is the most secure! (This is a joke of course. I'm stating this because I just know someone is going to take this post seriously, lol.)

    5. Re:5f4dcc3b5aa765d61d8327deb882cf99 by fnj · · Score: 1

      Sha256 is sissy. They have sha512 now.

    6. Re:5f4dcc3b5aa765d61d8327deb882cf99 by FragHARD · · Score: 1

      Nice !!! I use the same password, only in reverse because I think it is much more secure....

      --
      FragHARD or don't frag at all
    7. Re:5f4dcc3b5aa765d61d8327deb882cf99 by metalmaster · · Score: 1

      no no.....if you want something thats completely secure you must go with 2ab96390c7dbe3439de74d0c9b0b1767. Its even better than *******

  10. it is like this for other sites too... by Anonymous Coward · · Score: 1

    same with wellsfargo.com and its been like that for ages.

    1. Re:it is like this for other sites too... by iammani · · Score: 1

      Wow, I cannot believe that a bank would allow such lax passwords. I have a password with almost equal number of small caps and capital caps characters (typing it involves a lot of 'shift' key press and release). I guess I must have been a moron for creating a complicated password and remembering it!

  11. hat tip? by RichiH · · Score: 2

    Am I too old for knowing immediately what the root cause for this was?

    Shouldn't this even be considered basic knowledge for any advanced UNIX user?

    That was refreshing. Now get off my lawn.

    1. Re:hat tip? by geekoid · · Score: 1

      It should be considered basic knowledge for any UNIX programmer.

      It's pretty inexcusable.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    2. Re:hat tip? by roc97007 · · Score: 2

      > Am I too old for knowing immediately what the root cause for this was?

      Yes.

      (Me too.)

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    3. Re:hat tip? by nickspoon · · Score: 1

      Shouldn't this even be considered basic knowledge for any advanced UNIX user?

      Let's assume for the moment that I'm not - what is the flaw involved?

    4. Re:hat tip? by zippthorne · · Score: 1

      No, I'm pretty sure it was going through everyone's head. Something like, "What, are they using crypt()?!" followed by, "wait.. they actually are using crypt()? wtf?"

      --
      Can you be Even More Awesome?!
    5. Re:hat tip? by etwills · · Score: 1

      Am I too old for knowing immediately what the root cause for this was?

      Sounds to me like you're just the right age for knowing what the root cause was!

  12. It's much worse than that by SpammersAreScum · · Score: 5, Interesting

    Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".

    1. Re:It's much worse than that by roc97007 · · Score: 1

      I think that was covered by the admission that Unix "crypt" was used. Unless it's just us old fogeys that remember that Unix passwords had an 8 character limit.

      Man, I feel old. I'm going to go home and yell at the kids playing in my yard.

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    2. Re:It's much worse than that by mhaymo · · Score: 1

      I'm confused, I just tried logging in to Amazon using only the first 8 characters of my password. Didn't work. What am I missing?

    3. Re:It's much worse than that by SpammersAreScum · · Score: 1

      According to the article and summary, the problem only affects people that haven't changed their password "in a while". It's not clear when that cutoff date was.

    4. Re:It's much worse than that by Apocros · · Score: 1

      Actually, as far as amazon is concerned, you'd set it to "PASSWORD". Sort of a "tr '[a-z]' '[A-Z]' | crypt" thing.

      --
      "onward!" cried the copper man, little knowing brass corrupts...
    5. Re:It's much worse than that by SpammersAreScum · · Score: 1

      True. But I figured that aspect of the problem had already been covered adequately, and didn't want to people to miss the point I was trying to make by including it here.

  13. Thanks. by pavon · · Score: 1

    Thanks for pointing that out. Based on the summary I would have ignored this issue as my password is strong enough even without case sensitivity.

    1. Re:Thanks. by Nimloth · · Score: 2

      Is your password hunter2_a1nO=$i! as well?

  14. Uh oh. by Leebert · · Score: 2

    My amazon.com password is a dictionary word I set in, like, 1997?

    Maybe it's time to change it.

  15. Re:Wow big story here... by MichaelSmith · · Score: 1

    Yeah a couple of years ago an accountant where I work was helping me deal with a purchasing system we have. He asked me for my password so he could log on to my account. Apparently thats how things are done in his working environment. In my team we all have root access so we can su to any account, but nobody shares their password. su only gets you in the account once. root could be changed tomorrow. The same password could be used all over the place.

    --
    http://michaelsmith.id.au
  16. passwordpassword by Arancaytar · · Score: 3, Funny

    I hear the site also accepts minor misspellings, anagrams, close synonyms and Cockney rhyming slang.

  17. Password hashes are one-way by yuhong · · Score: 3

    A password hash is a one-way function, which means that it is impossible to re-encode passwords stored using one hash using another hash. This means that the old password hash function must still be supported until all passwords are changed.

    1. Re:Password hashes are one-way by Confusador · · Score: 1

      As someone else points out, though, it is trivial to create a new hash for a password on the next successful login. To the extent that this should be an issue at all, it should only be affecting people who haven't logged in in the past several years, not all those who haven't changed their password.

    2. Re:Password hashes are one-way by YA_Python_dev · · Score: 1

      Amazon receives a new copy of my password every time I log in. It's over SSL but unhashed.

      --
      There's a hidden treasure in Python 3.x: __prepare__()
    3. Re:Password hashes are one-way by heypete · · Score: 1

      But what if the user mistyped their password that login? Then the next time they try to log in they might not be able to, then they might give up and go away and not place an order.

      Briefly store the user-supplied until the authentication using the old method is successful, then use it to generate the new hashed password.

    4. Re:Password hashes are one-way by heypete · · Score: 1

      Er...that was supposed to be quoting the AC's text on the first line, but I borked it. Sorry.

    5. Re:Password hashes are one-way by pavon · · Score: 1

      The problem is that the old method is too lenient, and could accept the "wrong" password. For example suppose the user logged in with caps lock on, and didn't realize it because it was successful (compared using the old hashing algorithm). The new hash would be generated using all caps, then when the user tried to log in latter with caps lock off, it would fail even though he was using the same password as always. You would need to run both systems in parallel for some time and only eliminate the old hash after the new hash was successful several times in a row.

  18. Entropy loss: 5bit by drolli · · Score: 1

    I dont care if you can append sth to a password. Mathematically accepting some additional input to a password is not bad - you can also type additional text.

    The only loss in entropy is that you dont have to guess where the user cut of something from known words. The worst case scenario would be if you make a dictionary attack, and the password is in the dictionary in a longer form you dont have to send the right length. assuming that the chosen pw must be longer than 8 characters and probably is shorter than 32characters, this saves you *at most* 5 bit of entropy, probably less for most real world cases. given that a good pw should have more than 40-48bits of entropy, loosing 5 bits wont hurt much.

    1. Re:Entropy loss: 5bit by drolli · · Score: 1

      Not enough that it matters anyway...

  19. Unix crypt by Bert64 · · Score: 1

    The old unix crypt function (using DES encryption) has always been case sensitive, although it is limited to 8 characters... If the password is case insensitive that sounds more like LANMAN, an old password hashing function used by older versions of windows (still enabled by default in 2003 and earlier).

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  20. Re:Amazon UK by danabnormal · · Score: 1

    Yup, mine accepted different case and elongated versions.

  21. Password change page not secure? by hazee · · Score: 1

    When you go to the password reset page on Amazon.co.uk, it doesn't appear to be a secure page. Maybe the "Save Changes" button submits via an https link, but I don't have time to go digging through the source code - that kinda defeats the whole point of the lock icon, etc, surely?

    In any case, the captcha image has been "loading" for about 5 minutes now - guess everyone's trying to change their passwords?

  22. eBay has this problem too by Tasha26 · · Score: 1

    I emailed them and got a useless cust.care reply that they will look into it. But nothing's been done, so "Abc1234" is the same as "abc1234" or "ABC1234." I use a 9-character password, not sure if these idiots use a system which only reads 6 chars!?

  23. This is hardly news... by FlipperPA · · Score: 1

    {crypt} has only ever supported eight characters. I've run into this on older Solaris systems for years. Move up to {ssha} already.

  24. This is messed up by ShAkE_a82 · · Score: 1

    I can verify that .. I just logged into my account with all caps and numbers trailing at the end and always get logged in :S

  25. Charles Schwab has the same issue by heypete · · Score: 1

    I just recalled that Charles Schwab (a US stockbroker company) has an 8-character password limit.

    Guess what? They're also affected by the same issue.

    Crap.

  26. Re:Schwab, too by heypete · · Score: 1

    I just checked. Still happens there. I invest with Schwab, so this is a big deal to me.

    I changed my Amazon password (hooray for 32-character random strings generated by and stored with LastPass) and that seems to have resolved it, but Schwab won't let me do anything yet. Amazingly insecure.

  27. Follow Sourceforge's example by ace123 · · Score: 1

    I wonder how much outcry there would be if these companies reset all the old user account passwords like sourceforge just did.

    Hello,

    We recently experienced a directed attack on SourceForge infrastructure
    (http://sourceforge.net/blog/sourceforge-net-attack/) and so we are
    resetting all passwords in the sf.net database -- just in case. We're
    e-mailing all sf.net registered account holders to let you know about this
    change to your account.

    snip...

    So, as a proactive measure we've invalidated your SourceForge.net account
    password. To access the site again, you'll need to go through the email
    recovery process and choose a shiny new password:

    https://sourceforge.net/account/registration/recover.php

  28. Already fixed? by hesaigo999ca · · Score: 1

    I am sure this is already fixed, as Amazon is very quick to dish out updates to their websites when something is not right, I guess I would have to test mine.