thewayne: (Default)
The Wayne ([personal profile] thewayne) wrote2011-01-29 08:51 am
  • Add Memory
  • Share This Entry

Amazon Password Weakness

Amazon apparently has/had a weakness when it came to storing older passwords that had not been changed in a while, and if your password was longer than eight characters, you could enter eight and then any random garbage and the system would log you in. If your account was vulnerable in this fashion, you could log in, change your password back to what it is, and you'll be OK.

I just tested my password, which is 14 characters long, and it was fine. I guess I created my account late enough that it was not affected.

http://www.wired.com/threatlevel/2011/01/amazon-password-problem/
Flat | Top-Level Comments Only

[identity profile] apostate-96.livejournal.com 2011-01-29 06:53 pm (UTC)(link)
This makes me glad that passwords for accounts I value have consistently been longer than 8 characters for some time now.

[identity profile] neefsck.livejournal.com 2011-01-30 11:23 pm (UTC)(link)
I think this is a solaris related thing.
I used to but up against it when I was a sysadmin many year ago.

The first 8 characters were the only ones that mattered, anything after that was just..well..useless. :)

I thought that had been long since fixed, and I'm sort of surprised to see Amazon still vulnerable to it..

[identity profile] thewayne.livejournal.com 2011-01-30 11:31 pm (UTC)(link)
A friend of mine occasionally travels around the country doing unix installs. He found out that his servers had this bug. At one site, he had to log on and the local IT guy was standing there, so he typed in the password and then just started wailing on the keyboard while the local guy's jaw dropped, then hit and the system logged him in.

The thing that I don't get is why don't they do a one-way hash, repeat the hash and compare to what's stored? You're not going to easily run a rainbow table against it, especially if you slap a seed or constant before/after the password.
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)

[personal profile] silveradept 2011-01-31 01:05 am (UTC)(link)
And for people with shorter passwords? Are they still secure-ish, or should they change them just in case?

[identity profile] thewayne.livejournal.com 2011-01-31 04:05 am (UTC)(link)
The flaw was based around a poor implementation. Internally, the passwords were converted to upper case, and any characters past the eighth were ignored. So if your password was 'PassWord123', entering 'password' or 'PASSWORD' would be treated as valid. Passwords shorter than eight would have the same weakness regarding case, but since they were not longer than eight, that part would not matter.

It seems to depend on when the password was created. The thing to do is to test your existing password and see if any upper case version will work. Personally, I won't use passwords that short, but some people have problems with longer passwords or more complex password methodologies.
Flat | Top-Level Comments Only