Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Flaw Lets Password Variants Through

Posted by timothy on from the liberal-in-what-you-accept-but-not-here dept.

Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)

8 of 159 comments (clear)

  1. Uhm... by Anonymous Coward · · Score: 5, Funny

    Is it supposed to show all of my passwords in the article? Or do you just see stars?

  2. Well I'll be damned.... by artor3 · · Score: 4, Insightful

    Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

  3. Thankfully... by Junta · · Score: 4, Funny

    My password of hunter2 was not compromised.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  4. Why exactly is this a problem? by Man+On+Pink+Corner · · Score: 4, Insightful

    Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.

    It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")

    What's the threat, exactly?

    1. Re:Why exactly is this a problem? by Facegarden · · Score: 4, Informative

      Any time a system will accept multiple entries for one password, the number of guesses an intruder has to make goes down.

      This is generally considered bad.

      You should never allow bad logins just to make it easier for people to log in when they can't recall their password, that's the wrong way to do it. You should provide an easy way for them to reset their password, not reduce your security across the board (which means password reset mechanisms must be carefully designed as well).

      But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

      Simply put, you want passwords to be as secure as you can, limited by your users ability to remember their password. And don't cater to the users who haven't logged in in 3 years, cater to the users who log in every day - keep things secure for them.

      Just imagine how many people might use their last name as a password, or their last name plus their birthday. Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.

      And for what its worth, I'm blown away that this isn't perfectly clear to every single Slashdot reader.
      -Taylor

      --
      Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
    2. Re:Why exactly is this a problem? by MichaelSmith · · Score: 5, Funny

      Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.

      --
      http://michaelsmith.id.au
  5. It's much worse than that by SpammersAreScum · · Score: 5, Interesting

    Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".

  6. Re:So, despite knowing it was a problem... by rsborg · · Score: 4, Informative

    Can someone get down off their high horse long enough to explain just how this was a poor security practice on Amazon's part?

    Read the article... this isn't a huge flaw, just one that reduces the complexity of cracking an existing password.

    If someone manages to break into Amazon (or do an inside job), they could theoretically steal a LOT of passwords (mine was impacted prior to changing it just now) by downloading the database and running a simple rainbow table against it.... given that crypt limited the length to 8 and they case-insensitized the passwords, that's quite easy to crack even at 8 characters.

    Cracked password means likely 1 or more credit card numbers per account compromised, which is a decent pay-off.

    Furthermore there is the security issue of password re-use wherein an Amazon account would give an email address, and the attacker could try the email address of the account with the same password.

    --
    Make sure everyone's vote counts: Verified Voting