Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords
from the passwordblahblah dept
The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some “older” passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters — “password” — will work. So, just plain old “password.” Or “passwordblahblahblah.” Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the “full” password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.
Comments on “Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords”
I always thought that was a feature.
I generate a hundred digit password and just paste it there and it takes what it needs.
But seriously what I really want is a QR-Code password generator, so I can generate a 1024 key in a second and then have the camera read it or drag and drop the image there, no need to remember long strings and you can generate them as often as you like is no problem.
Not so weird
The standard Unix & Linux library function crypt() has always only used the first 8 letters of a password in its default implementation. If they were using this function and storing only the hashed password years ago, they’d have no way to convert them to more secure algorithms until someone changed their password. Amazon probably feels that they can’t force people to change their passwords without making users nervous that the company’s databases has been hacked. The easiest thing to do would have been to silently update the hashed password the next time someone logged in – after several months, all of the active accounts would have been updated.
Re: Not so weird
That wouldn’t work because it can only verify the first 8 characters of the password, so essentially what COULD happen is someone would type their password as they always do, let’s say their password is “password123” but they accidently type “pasword124”. Amazon will only have the hash of the first 8 characters, so it will verify it has accepted, THEN, it will attempt to update the hash, but it will update with the wrong password because the user accidentally entered it incorrectly (which amazon cannot verify with their current hash of only the first 8-chars), and the user may not have realized. Now, the user is locked out of their account.
So, I wouldn’t be surprised if they considered what you just mentioned, but that is one rather large issue with doing so.
Re: Re: Not so weird
Typo in my post “password124” *
Re: Re: Not so weird
True, they couldn’t automatically update the password hash on the first success. They could keep track of all of successful logins and eventually switch over after a certain number of successes. Then again, if it was 10 successful logins to convert someone other and they goofed on the 10th, they’d be locked out. So they’d have to store both the old style hash and the new one and compare both… at a certain point it would just be easier to tell the user, “you haven’t changed your password in X years, please do so now.”
Re: Re: Re: Not so weird
I agree with you on your final thought, they should just ask users to change their passwords. :-/
Re: Re: Re:2 Not so weird
the public eye tends to prefer to not know
SW Airlines had this going on for a while a few years ago. Don’t know if it got reported.
Amazon’s really sneaky that way. The last thing they’d want if for their old password users to question the site’s data security. Unless a drastic case of hacking happens, though, they’re likely to keep mum on it.
I imagine this occurs with regularity all across the net. Anyone who follows netsec is fairly aware “secure” is the exception rather than the rule.
Yeah, I saw this problem on an old version of the Linux firewall, SmoothWall, years ago. Been fixed since I reported it to them.
http://www.smoothwall.org
it's actually not a bug
this “bug” has been there since amazon first opened for business. it’s an artifact of them using the decades-old unix crypt() programming function. see, it’s not your password that amazon stores. when you create your account and enter your first password, they hash it and store the hash.
if you don’t know what a hash it, think about it as scrambling the bits around in a specific way. that isn’t at all accurate but it conveys the gist.
the idea is that when you later enter your password to login, they hash it using the crypt() function and then compare the two hashes. if they match, then the password you entered to login is correct.
if you want to talk amazon password bugs, way back they used to let you change your password to “” (null). it would lock you out of your account. they fixed that when they started requiring a minimum password length.
I’m so frustrated with Amazons mobile site. It tells me my pwd is wrong, let’s me generate a pwd change link to my email, let’s me think I’m changing g that password…. And then won’t let me log in with the new pwd either.
Re: Amazon password reset CR*P
This has happened to me all year, password does not work, so you go through the rigmarole of the password reset, which is ok for the session, but then it won’t work for any subsequent sessions, so you go through this cr*p again.
Get tired of doing this, so call customer support, who make you go through the above cr*p all over again, only to say they don’t know what is happening!!!
ARGHHHHHH!!!!!!!!!!!!!!!!