[Infowarrior] - Amazon.com Security Flaw Accepts Passwords That Are Close, But Not Exact

Richard Forno rforno at infowarrior.org
Fri Jan 28 18:39:23 CST 2011


Amazon.com Security Flaw Accepts Passwords That Are Close, But Not Exact

	• By Dylan Tweney  
	• January 28, 2011  | 
	• 3:56 pm  | 

http://www.wired.com/threatlevel/2011/01/amazon-password-problem/

An Amazon.com security flaw allows some customers to log in with variations of their actual password that are close to, but not exactly, their real password.

The flaw lets Amazon accept as valid some passwords that have extra characters added on after the 8th character, and also makes the password case-insensitive.

For example, if your password is “Password,” Amazon.com will also let you log in with “PASSWORD,” “password,” “passwordpassword,” and “password12345.”

Wired has been able to confirm the flaw, which was first reported on Reddit. It appears to affect only older Amazon.com accounts, which have not had their passwords changed in the past several years.

Amazon did not respond to a request for comment.

Observers on Reddit speculate that Amazon was using the unix crypt() function to encrypt older passwords, in addition to converting them to uppercase, before storing them in its servers. While encrypting stored passwords is a wise idea, crypt() truncates longer passwords, discarding anything after the 8th character. (It’s also relatively easy to crack, as Gawker Media recently found out when its crypt()-encrypted database of user passwords was published by hackers.)1

Since newer passwords are not affected by the flaw, Amazon appears to have corrected the problem for new passwords — but without updating the older, stored passwords.

The fix is straightforward for those with older passwords: Simply log on to Amazon.com, and change your password. You can even then change your new password back to your old password, and you’ll magically be safer than you were before.

1This story originally misstated Gawker’s password security scheme. In fact, its passwords were stored using the same crypt() function mentioned in this story, and were only published after being decrypted by hackers.


More information about the Infowarrior mailing list