Amazon password flaw

Creaky

Admin
3,469
15
38
Do you make sure your passwords are unique across sites? Do you make sure to use letters (both upper and lower case), numbers, and special symbols? Do you use passwords that are more than eight characters long? Well all of that may have lulled you into a false sense of security at Amazon.com because, according to reddit.com, unless you have recently changed your password most of the complexity has been removed.

The problem is with the way Amazon stores the password. The system first converts all of the letters to upper-case which makes “MyPaSsWd123” the same as “mypasswd123” or “MYPAsswd123.” Next, it strips off everything after the eighth character. What this means is that “MyPaSsWd123” is simply stored as “MYPASSWD” in Amazon’s systems. Knowing this information makes attacking the password a much easier task.

The issue is most likely due to the fact that Amazon was using an older crypt() function that takes only the first eight characters. This was common on UNIX servers where the username and password hash were stored in the /etc/passwd file. Newer implementations move the hash to a more secure location and allow longer passwords.

It appears that the fix is to simply login to Amazon’s site and change your password. Users are reporting that this method allows for longer passwords of both upper and lower case letters. This works because new passwords are encrypted using new encryption processes, but instead of informing users of this change Amazon apparently simply moved legacy passwords into the new system.

Source: Neowin.net
 

Silent

Graphic Designer
1,151
2
0
Glad I don't have an account on Amazon.com. Good article! Thanks for the heads up Creaky(and Neowin).
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Top