Amazon password flaw

Do you make sure your passwords are unique across sites? Do you make sure to use letters (both upper and lower case), numbers, and special symbols?  Do you use passwords that are more than eight characters long? Well all of that may have lulled you into a false sense of security at Amazon.com because, according to reddit.com, unless you have recently changed your password most of the complexity has been removed.

The problem is with the way Amazon stores the password. The system first converts all of the letters to upper-case which makes “MyPaSsWd123” the same as “mypasswd123” or “MYPAsswd123.”  Next, it strips off everything after the eighth character. What this means is that “MyPaSsWd123” is simply stored as “MYPASSWD” in Amazon’s systems. Knowing this information makes attacking the password a much easier task.

The issue is most likely due to the fact that Amazon was using an older crypt() function that takes only the first eight characters. This was common on UNIX servers where the username and password hash were stored in the /etc/passwd file. Newer implementations move the hash to a more secure location and allow longer passwords.

It appears that the fix is to simply login to Amazon’s site and change your password. Users are reporting that this method allows for longer passwords of both upper and lower case letters. This works because new passwords are encrypted using new encryption processes, but instead of informing users of this change Amazon apparently simply moved legacy passwords into the new system.

Report a problem with article
Previous Story

Review: Phantom isn't dead and this is their Lapboard

Next Story

So, what's all this fuss about IPv4/6 anyway?

49 Comments

Commenting is disabled on this article.

Yeah, but did you know it's quite difficult to order things even if you DID know the password?
If you want to deliver to a new address, amazon asks for a confirmation of the payment method, so they'd need my card which isn't available to them as they need the three numbers on the back.

Wow, quite scary, never changed my password in a few years as no need to. Just tried using capitals and it logged me in! I was shocked! As others have stated, first 8 chars doesn't seem to work ... password changed!

This might be a silly question, but does this affect all Amazon sites, not just amazon.com? I tried logging in to my amazon.co.uk account with just the first 8 characters and it didn't work...that said, I've just tried typing my password in all caps and it does work...interesting.

What do you guys think about a major US government contractor that stores federal agent's passwords in plan-text format in their database - a database that's openly accessible to all the 2000 to 3000 employes in the company?

Only using the first 8 characters doesn't work for me But nor does all lowercase or all uppercase (it has to be case specific for me to login). But then I did recently change my password so that's probably why.

Didn't work, probably cos it was recently changed. I changed my password on 100+ sites since the gawker exploit, and each one is now unique and put into Lastpass, was a big job to do but it's done

After shorting my password to 8 charactors, I was able to access my amazon account. Thanks for the heads up. I have since changed the password. Thanks goes out to LastPass for the ease of changing passwords.

Just tried it with my password which uses numbers, not real words, and upper and lower case characters. The first eight, all upper case, did NOT allow me to log in. However, entering my password without any of the special capitalization (In my test I used all lowercase), it let me log in.

Yay for keepass' auto expiring passwords, and the ridiculously complicated ones it creates for you at the click of a button

DARKFiB3R said,
Yay for keepass' auto expiring passwords, and the ridiculously complicated ones it creates for you at the click of a button

Agreed. i use Password Safe myself though. but they all do basically the same thing.

Thats quite worrying

What is weird, ive got two amazon accounts registered to the same email address

If i use bob@gmail.com and password 2345, it shows up my account with half my orders.

If i use bob@gmail.com and password 6789, it shows up my account with the other half of my orders.

Has anyone heard of that before?

Yeah i got that, too.

1 Account was Closed, but i registered the E-Mail again ...
Now the first one is reopened and i have the exact situation like yours.

Didn't work on my amazon account created in Jan 2005 (never changed the password). It does work typing the full password in any case, but not by just typing the first 8 characters.

ZakO said,
Didn't work on my amazon account created in Jan 2005 (never changed the password). It does work typing the full password in any case, but not by just typing the first 8 characters.

I can confirm this... seems that the p/w isn't case specific.

Matt Hardwick said,
OLD news....

And anyone who has changed their password in the last 2 or 3 years which I'd wager is most people is safe.

Most people never change passwords unless they have to. Trust me, on my work network everyone's userneame first letter of first name followed by last name, and their password is their initials, has been since NT server since no one in management will enforce a password policy

Memnochxx said,
How'd they get my password!?
LOL They won't. It's just that the number of combinations for a dictionary attack has been reduced by a significant number. If your password matches any dictionary entry, then there is a higher likelihood of hitting it because they are trimmed to 8 characters and capitalized.

Ned said,
Is anyone actually able to confirm this by using the first 8 letters of your password uppercase?

Well, we only see it as stars since it's your password, but you see your password since it's your password

Ned said,
Is anyone actually able to confirm this by using the first 8 letters of your password uppercase?

All uppercase, yes I could log in, 1st 8 characters, no.

Ned said,
Is anyone actually able to confirm this by using the first 8 letters of your password uppercase?
I can only use my password the way it was typed (any variation on case or length doesn't work), but I changed my password just a few months ago, so...

dave164 said,
I trimmed my down to 8 chars when entering it but I can't login..

I just tried the first 8 of mine, no go either

ehm, my password shortened down to 8 characters and all upper case worked....wtf
og well, not that it matters, it's to uniqe even at 8 characters...but it does make you wonder how many other sites does this?

episode said,
Well according to this article, blue1126 would also work. Try it and report back.

bah meant to reply to Brandon

Didn't work, but typing in all caps or all lower case did work.
I still needed the full password

Huh?

My amazon password has been something along the lines of Blue112653whale since I opened my account 3-4 years ago....

Brandon said,
Huh?

My amazon password has been something along the lines of Blue112653whale since I opened my account 3-4 years ago....

What it means is that you can login to Amazon with a password like "blue1126" if your password is set to "Blue112653whale". Tested it with my account, and confirmed.

Brandon said,
Huh?
My amazon password has been something along the lines of Blue112653whale since I opened my account 3-4 years ago....

I can confirm that "blue1126" works as your password, even "BLUE1126" or "bLuE1126". Thanks also for the new LCD 3D TV set I just ordered using your account...

vacs said,

I can confirm that "blue1126" works as your password, even "BLUE1126" or "bLuE1126". Thanks also for the new LCD 3D TV set I just ordered using your account...

No problem. Glad it wasn't my account since that isn't my password (even remotely close)

I've came across banking sites that allow for the same thing. I believe the now defunct MS Money used case insensitive passwords. For sites like Amazon I'm not that worried... its when big banks use these where you start to wonder why they aren't using better practice.

Chasethebase said,
What is it recently with every site having security flaws. >_>

Sites are not getting any worse - it's the crackers who improve.
On a side note, how did that information arise? Was it a trial-and-error discovery, or an internal leak?

Chasethebase said,
What is it recently with every site having security flaws. >_>

It's just been discovered. The flaw was always there.