Amazon Flaw Lets Password Variants Through

← Back to Stories (view on slashdot.org)

Amazon Flaw Lets Password Variants Through

Posted by timothy on Friday January 28, 2011 @12:17PM from the liberal-in-what-you-accept-but-not-here dept.

Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)

25 of 159 comments (clear)

Min score:

Reason:

Sort:

The UNIX crypt tool is not at fault by geekoid · 2011-01-28 12:23 · Score: 3, Insightful

It's the cheap ass developers fault.

--
The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
1. Re:The UNIX crypt tool is not at fault by Culture20 · 2011-01-28 13:45 · Score: 2
  
  Solaris nisplus has a history of only dealing with the first eight characters for passwords, but if this is true, it means they are running a _very_ old system.
  They might also be using single-DES. http://en.wikipedia.org/wiki/Crypt_(Unix)#Traditional_DES-based_scheme
2. Re:The UNIX crypt tool is not at fault by mysidia · 2011-01-28 14:53 · Score: 2
  
  It's the cheap ass developers fault.
  And it continues to be their fault. They can fix this easily.
  Whenever a user logs in... check if their password is stored using crypt(). If it IS, then take the password they just used to login, and compute a stronger blowfish/salted md5 hash. Replace the crypted password with the strong hash.
  No reason they couldn't have done that when they first introduced stronger password hashing.
3. Re:The UNIX crypt tool is not at fault by Bill+Dog · 2011-01-28 15:12 · Score: 3, Interesting
  
  If it IS, then take the password they just used to login,
  But if the problem with the system is that mixed-case and extra characters are allowed in the case of older passwords, what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down? Or accidently hit another character-generating key while fumbling for the enter key?
  They'll be logged in. But not next time, because their password is not what they think it is. And even if they'd been entering it wrong for years, if they'd written down somewhere the correct one, they'd find that that also does not work. Much bewilderment and negative feelings about Amazon would ensue.
  
  --
  Attention zealots and haters: 00100 00100
4. Re:The UNIX crypt tool is not at fault by mysidia · 2011-01-28 16:12 · Score: 3, Informative
  
  what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down
  Unix crypt() is NOT case-insensitive. If the Amazon passwords are case-insensitive due to crypt, then it is due to them converting the field to all lowercase or all uppercase before passing the input to crypt(). They could continue to do so; although, case-insensitive was inadvisable in the first place, they would have painted them into a corner -- however, they can still prompt the user to change their password after a successful login, and make the pw change mandatory.
Uhm... by Anonymous Coward · 2011-01-28 12:24 · Score: 5, Funny

Is it supposed to show all of my passwords in the article? Or do you just see stars?
1. Re:Uhm... by SpooForBrains · 2011-01-28 13:03 · Score: 3, Funny
  
  I see Hunter2
  
  --
  "The dew has clearly fallen with a particularly sickening thud this morning"
Well I'll be damned.... by artor3 · 2011-01-28 12:25 · Score: 4, Insightful

Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.
1. Re:Well I'll be damned.... by bbqsrc · 2011-01-28 12:32 · Score: 3, Insightful
  
  Now they should consider implementing a 'set new password on next login' rule to rectify this before someone gets screwed over and is enraged.
  
  --
  Disagree != mod troll.
2. Re:Well I'll be damned.... by KiloByte · 2011-01-28 13:03 · Score: 3, Insightful
  
  Or at the very least, update to a semi-modern hash on the next login, when the unhashed version will be known. Since they, like most web pages, don't use a challenge-response scheme but transmit the password as-is (at least over SSL, unlike Facebook's default), this is a trivial thing to do.
  Forcing a password change would bring some security, but they're too afraid to spook mrs May type users for that.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Thankfully... by Junta · 2011-01-28 12:34 · Score: 4, Funny

My password of hunter2 was not compromised.

--
XML is like violence. If it doesn't solve the problem, use more.
1. Re:Thankfully... by smellotron · 2011-01-28 19:46 · Score: 3, Funny
  
  Hey that's my ********, you insensitive clod!
  What?
Why exactly is this a problem? by Man+On+Pink+Corner · 2011-01-28 12:36 · Score: 4, Insightful

Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.
It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")
What's the threat, exactly?
1. Re:Why exactly is this a problem? by Facegarden · 2011-01-28 13:36 · Score: 4, Informative
  
  Any time a system will accept multiple entries for one password, the number of guesses an intruder has to make goes down.
  This is generally considered bad.
  You should never allow bad logins just to make it easier for people to log in when they can't recall their password, that's the wrong way to do it. You should provide an easy way for them to reset their password, not reduce your security across the board (which means password reset mechanisms must be carefully designed as well).
  But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.
  Simply put, you want passwords to be as secure as you can, limited by your users ability to remember their password. And don't cater to the users who haven't logged in in 3 years, cater to the users who log in every day - keep things secure for them.
  Just imagine how many people might use their last name as a password, or their last name plus their birthday. Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.
  And for what its worth, I'm blown away that this isn't perfectly clear to every single Slashdot reader.
  -Taylor
  
  --
  Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
2. Re:Why exactly is this a problem? by MichaelSmith · 2011-01-28 14:12 · Score: 5, Funny
  
  Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.
  
  --
  http://michaelsmith.id.au
5f4dcc3b5aa765d61d8327deb882cf99 by metalmaster · 2011-01-28 12:41 · Score: 3, Funny

I think its safe to say my password is safe
Re:So, despite knowing it was a problem... by geekoid · 2011-01-28 12:41 · Score: 2

I have an account and I don't care. Seriously the threat here is only in the most technical case. IN practicality it's not really a big deal.
I don't think they should care about case anyways.

--
The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
hat tip? by RichiH · 2011-01-28 12:42 · Score: 2

Am I too old for knowing immediately what the root cause for this was?
Shouldn't this even be considered basic knowledge for any advanced UNIX user?
That was refreshing. Now get off my lawn.
1. Re:hat tip? by roc97007 · 2011-01-28 13:02 · Score: 2
  
  > Am I too old for knowing immediately what the root cause for this was?
  Yes.
  (Me too.)
  
  --
  Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
It's much worse than that by SpammersAreScum · 2011-01-28 12:55 · Score: 5, Interesting

Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".
Re:So, despite knowing it was a problem... by rsborg · 2011-01-28 13:05 · Score: 4, Informative

Can someone get down off their high horse long enough to explain just how this was a poor security practice on Amazon's part?
Read the article... this isn't a huge flaw, just one that reduces the complexity of cracking an existing password.
If someone manages to break into Amazon (or do an inside job), they could theoretically steal a LOT of passwords (mine was impacted prior to changing it just now) by downloading the database and running a simple rainbow table against it.... given that crypt limited the length to 8 and they case-insensitized the passwords, that's quite easy to crack even at 8 characters.
Cracked password means likely 1 or more credit card numbers per account compromised, which is a decent pay-off.
Furthermore there is the security issue of password re-use wherein an Amazon account would give an email address, and the attacker could try the email address of the account with the same password.

--
Make sure everyone's vote counts: Verified Voting
Uh oh. by Leebert · 2011-01-28 13:46 · Score: 2

My amazon.com password is a dictionary word I set in, like, 1997?
Maybe it's time to change it.
Re:Thanks. by Nimloth · 2011-01-28 13:53 · Score: 2

Is your password hunter2_a1nO=$i! as well?
passwordpassword by Arancaytar · 2011-01-28 16:09 · Score: 3, Funny

I hear the site also accepts minor misspellings, anagrams, close synonyms and Cockney rhyming slang.
Password hashes are one-way by yuhong · 2011-01-28 16:56 · Score: 3

A password hash is a one-way function, which means that it is impossible to re-encode passwords stored using one hash using another hash. This means that the old password hash function must still be supported until all passwords are changed.