Amazon password flaw

Do you make sure your passwords are unique across sites? Do you make sure to use letters (both upper and lower case), numbers, and special symbols?  Do you use passwords that are more than eight characters long? Well all of that may have lulled you into a false sense of security at because, according to, unless you have recently changed your password most of the complexity has been removed.

The problem is with the way Amazon stores the password. The system first converts all of the letters to upper-case which makes “MyPaSsWd123” the same as “mypasswd123” or “MYPAsswd123.”  Next, it strips off everything after the eighth character. What this means is that “MyPaSsWd123” is simply stored as “MYPASSWD” in Amazon’s systems. Knowing this information makes attacking the password a much easier task.

The issue is most likely due to the fact that Amazon was using an older crypt() function that takes only the first eight characters. This was common on UNIX servers where the username and password hash were stored in the /etc/passwd file. Newer implementations move the hash to a more secure location and allow longer passwords.

It appears that the fix is to simply login to Amazon’s site and change your password. Users are reporting that this method allows for longer passwords of both upper and lower case letters. This works because new passwords are encrypted using new encryption processes, but instead of informing users of this change Amazon apparently simply moved legacy passwords into the new system.

Report a problem with article
Next Article

So, what's all this fuss about IPv4/6 anyway?

Previous Article

Review: Phantom isn't dead and this is their Lapboard

49 Comments - Add comment