thewayne | Amazon Password Weakness

You're viewing

thewayne's journal
Create a Dreamwidth Account Learn More

Reload page in style: site light

Amazon apparently has/had a weakness when it came to storing older passwords that had not been changed in a while, and if your password was longer than eight characters, you could enter eight and then any random garbage and the system would log you in. If your account was vulnerable in this fashion, you could log in, change your password back to what it is, and you'll be OK.

I just tested my password, which is 14 characters long, and it was fine. I guess I created my account late enough that it was not affected.

http://www.wired.com/threatlevel/2011/01/amazon-password-problem/

Flat | Top-Level Comments Only

From:

silveradept

And for people with shorter passwords? Are they still secure-ish, or should they change them just in case?

From:

thewayne.livejournal.com

The flaw was based around a poor implementation. Internally, the passwords were converted to upper case, and any characters past the eighth were ignored. So if your password was 'PassWord123', entering 'password' or 'PASSWORD' would be treated as valid. Passwords shorter than eight would have the same weakness regarding case, but since they were not longer than eight, that part would not matter.

It seems to depend on when the password was created. The thing to do is to test your existing password and see if any upper case version will work. Personally, I won't use passwords that short, but some people have problems with longer passwords or more complex password methodologies.