Amazon Password Weakness

Jan. 29th, 2011 08:51 am
thewayne: (Default)
[personal profile] thewayne
Amazon apparently has/had a weakness when it came to storing older passwords that had not been changed in a while, and if your password was longer than eight characters, you could enter eight and then any random garbage and the system would log you in. If your account was vulnerable in this fashion, you could log in, change your password back to what it is, and you'll be OK.

I just tested my password, which is 14 characters long, and it was fine. I guess I created my account late enough that it was not affected.

http://www.wired.com/threatlevel/2011/01/amazon-password-problem/
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2011-01-29 06:53 pm (UTC)
From: [identity profile] apostate-96.livejournal.com
This makes me glad that passwords for accounts I value have consistently been longer than 8 characters for some time now.

Date: 2011-01-30 11:23 pm (UTC)
From: [identity profile] neefsck.livejournal.com
I think this is a solaris related thing.
I used to but up against it when I was a sysadmin many year ago.

The first 8 characters were the only ones that mattered, anything after that was just..well..useless. :)

I thought that had been long since fixed, and I'm sort of surprised to see Amazon still vulnerable to it..

Date: 2011-01-30 11:31 pm (UTC)
From: [identity profile] thewayne.livejournal.com
A friend of mine occasionally travels around the country doing unix installs. He found out that his servers had this bug. At one site, he had to log on and the local IT guy was standing there, so he typed in the password and then just started wailing on the keyboard while the local guy's jaw dropped, then hit and the system logged him in.

The thing that I don't get is why don't they do a one-way hash, repeat the hash and compare to what's stored? You're not going to easily run a rainbow table against it, especially if you slap a seed or constant before/after the password.

Date: 2011-01-31 01:05 am (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
And for people with shorter passwords? Are they still secure-ish, or should they change them just in case?

Date: 2011-01-31 04:05 am (UTC)
From: [identity profile] thewayne.livejournal.com
The flaw was based around a poor implementation. Internally, the passwords were converted to upper case, and any characters past the eighth were ignored. So if your password was 'PassWord123', entering 'password' or 'PASSWORD' would be treated as valid. Passwords shorter than eight would have the same weakness regarding case, but since they were not longer than eight, that part would not matter.

It seems to depend on when the password was created. The thing to do is to test your existing password and see if any upper case version will work. Personally, I won't use passwords that short, but some people have problems with longer passwords or more complex password methodologies.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

thewayne: (Default)
The Wayne
Spare Brains Games

January 2026

S M T W T F S
    1 23
45678910
11121314151617
18192021222324
25262728293031

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 2nd, 2026 05:01 pm
Powered by Dreamwidth Studios