Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords
from the passwordblahblah dept
The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
I generate a hundred digit password and just paste it there and it takes what it needs.
But seriously what I really want is a QR-Code password generator, so I can generate a 1024 key in a second and then have the camera read it or drag and drop the image there, no need to remember long strings and you can generate them as often as you like is no problem.
[ link to this | view in thread ]
Not so weird
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
www.smoothwall.org
[ link to this | view in thread ]
Re: Not so weird
So, I wouldn't be surprised if they considered what you just mentioned, but that is one rather large issue with doing so.
[ link to this | view in thread ]
Re: Re: Not so weird
[ link to this | view in thread ]
Re: Re: Not so weird
[ link to this | view in thread ]
Re: Re: Re: Not so weird
[ link to this | view in thread ]
it's actually not a bug
if you don't know what a hash it, think about it as scrambling the bits around in a specific way. that isn't at all accurate but it conveys the gist.
the idea is that when you later enter your password to login, they hash it using the crypt() function and then compare the two hashes. if they match, then the password you entered to login is correct.
if you want to talk amazon password bugs, way back they used to let you change your password to "" (null). it would lock you out of your account. they fixed that when they started requiring a minimum password length.
[ link to this | view in thread ]
Re: Re: Re: Re: Not so weird
[ link to this | view in thread ]
[ link to this | view in thread ]
Amazon password reset CR*P
Get tired of doing this, so call customer support, who make you go through the above cr*p all over again, only to say they don't know what is happening!!!
ARGHHHHHH!!!!!!!!!!!!!!!!
[ link to this | view in thread ]