Amazon Password Weakness

[thewayne]

Amazon apparently has/had a weakness when it came to storing older passwords that had not been changed in a while, and if your password was longer than eight characters, you could enter eight and then any random garbage and the system would log you in. If your account was vulnerable in this fashion, you could log in, change your password back to what it is, and you'll be OK.

I just tested my password, which is 14 characters long, and it was fine. I guess I created my account late enough that it was not affected.

http://www.wired.com/threatlevel/2011/01/amazon-password-problem/

Comments

[neefsck.livejournal.com]

I think this is a solaris related thing.
I used to but up against it when I was a sysadmin many year ago.

The first 8 characters were the only ones that mattered, anything after that was just..well..useless. :)

I thought that had been long since fixed, and I'm sort of surprised to see Amazon still vulnerable to it..

[thewayne.livejournal.com]

A friend of mine occasionally travels around the country doing unix installs. He found out that his servers had this bug. At one site, he had to log on and the local IT guy was standing there, so he typed in the password and then just started wailing on the keyboard while the local guy's jaw dropped, then hit and the system logged him in.

The thing that I don't get is why don't they do a one-way hash, repeat the hash and compare to what's stored? You're not going to easily run a rainbow table against it, especially if you slap a seed or constant before/after the password.