Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords

from the passwordblahblah dept

Thu, Jan 27th 2011 8:36pm — Mike Masnick

The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bug, hash, passwords
Companies: amazon

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 27 Jan 2011 @ 9:08pm

I always thought that was a feature.

I generate a hundred digit password and just paste it there and it takes what it needs.

But seriously what I really want is a QR-Code password generator, so I can generate a 1024 key in a second and then have the camera read it or drag and drop the image there, no need to remember long strings and you can generate them as often as you like is no problem.
[ link to this | view in chronology ]
codeslave (profile), 27 Jan 2011 @ 9:36pm

Not so weird
The standard Unix & Linux library function crypt() has always only used the first 8 letters of a password in its default implementation. If they were using this function and storing only the hashed password years ago, they'd have no way to convert them to more secure algorithms until someone changed their password. Amazon probably feels that they can't force people to change their passwords without making users nervous that the company's databases has been hacked. The easiest thing to do would have been to silently update the hashed password the next time someone logged in - after several months, all of the active accounts would have been updated.
[ link to this | view in chronology ]
- Matt, 28 Jan 2011 @ 7:10am
  
  Re: Not so weird
  That wouldn't work because it can only verify the first 8 characters of the password, so essentially what COULD happen is someone would type their password as they always do, let's say their password is "password123" but they accidently type "pasword124". Amazon will only have the hash of the first 8 characters, so it will verify it has accepted, THEN, it will attempt to update the hash, but it will update with the wrong password because the user accidentally entered it incorrectly (which amazon cannot verify with their current hash of only the first 8-chars), and the user may not have realized. Now, the user is locked out of their account.
  
  So, I wouldn't be surprised if they considered what you just mentioned, but that is one rather large issue with doing so.
  [ link to this | view in chronology ]
  - Matt, 28 Jan 2011 @ 7:15am
    
    Re: Re: Not so weird
    Typo in my post "password124" *
    [ link to this | view in chronology ]
  - codeslave (profile), 28 Jan 2011 @ 8:21am
    
    Re: Re: Not so weird
    True, they couldn't automatically update the password hash on the first success. They could keep track of all of successful logins and eventually switch over after a certain number of successes. Then again, if it was 10 successful logins to convert someone other and they goofed on the 10th, they'd be locked out. So they'd have to store both the old style hash and the new one and compare both... at a certain point it would just be easier to tell the user, "you haven't changed your password in X years, please do so now."
    [ link to this | view in chronology ]
    - Matt, 28 Jan 2011 @ 9:02am
      
      Re: Re: Re: Not so weird
      I agree with you on your final thought, they should just ask users to change their passwords. :-/
      [ link to this | view in chronology ]
      - monkyyy, 29 Jan 2011 @ 1:04pm
        
        Re: Re: Re: Re: Not so weird
        the public eye tends to prefer to not know
        [ link to this | view in chronology ]
Anonymous Coward, 27 Jan 2011 @ 10:08pm

SW Airlines had this going on for a while a few years ago. Don't know if it got reported.
[ link to this | view in chronology ]
MicroSourcing, 27 Jan 2011 @ 10:13pm

Amazon's really sneaky that way. The last thing they'd want if for their old password users to question the site's data security. Unless a drastic case of hacking happens, though, they're likely to keep mum on it.
[ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2011 @ 1:52am

I imagine this occurs with regularity all across the net. Anyone who follows netsec is fairly aware "secure" is the exception rather than the rule.
[ link to this | view in chronology ]
Cynix, 28 Jan 2011 @ 3:27am

Yeah, I saw this problem on an old version of the Linux firewall, SmoothWall, years ago. Been fixed since I reported it to them.

www.smoothwall.org
[ link to this | view in chronology ]
john k., 28 Jan 2011 @ 11:44am

it's actually not a bug
this "bug" has been there since amazon first opened for business. it's an artifact of them using the decades-old unix crypt() programming function. see, it's not your password that amazon stores. when you create your account and enter your first password, they hash it and store the hash.

if you don't know what a hash it, think about it as scrambling the bits around in a specific way. that isn't at all accurate but it conveys the gist.

the idea is that when you later enter your password to login, they hash it using the crypt() function and then compare the two hashes. if they match, then the password you entered to login is correct.

if you want to talk amazon password bugs, way back they used to let you change your password to "" (null). it would lock you out of your account. they fixed that when they started requiring a minimum password length.
[ link to this | view in chronology ]
Terry Malcolm Mullane, 5 Feb 2012 @ 1:49pm

I'm so frustrated with Amazons mobile site. It tells me my pwd is wrong, let's me generate a pwd change link to my email, let's me think I'm changing g that password.... And then won't let me log in with the new pwd either.
[ link to this | view in chronology ]
- Amanda Livingstone, 18 Dec 2012 @ 12:20pm
  
  Amazon password reset CR*P
  This has happened to me all year, password does not work, so you go through the rigmarole of the password reset, which is ok for the session, but then it won't work for any subsequent sessions, so you go through this cr*p again.
  
  Get tired of doing this, so call customer support, who make you go through the above cr*p all over again, only to say they don't know what is happening!!!
  
  ARGHHHHHH!!!!!!!!!!!!!!!!
  [ link to this | view in chronology ]