Reader Comments (rss)

(Flattened / Threaded)

1.  

   

   Anonymous Coward, Jan 27th, 2011 @ 9:08pm

   
   

   I always thought that was a feature.
   
   I generate a hundred digit password and just paste it there and it takes what it needs.
   
   But seriously what I really want is a QR-Code password generator, so I can generate a 1024 key in a second and then have the camera read it or drag and drop the image there, no need to remember long strings and you can generate them as often as you like is no problem.

   [ reply to this | link to this | view in thread ]

2.  

   Not so weird

   

   codeslave (profile), Jan 27th, 2011 @ 9:36pm

   
   

   The standard Unix & Linux library function crypt() has always only used the first 8 letters of a password in its default implementation. If they were using this function and storing only the hashed password years ago, they'd have no way to convert them to more secure algorithms until someone changed their password. Amazon probably feels that they can't force people to change their passwords without making users nervous that the company's databases has been hacked. The easiest thing to do would have been to silently update the hashed password the next time someone logged in - after several months, all of the active accounts would have been updated.

   [ reply to this | link to this | view in thread ]

3.  

   

   Anonymous Coward, Jan 27th, 2011 @ 10:08pm

   
   

   SW Airlines had this going on for a while a few years ago. Don't know if it got reported.

   [ reply to this | link to this | view in thread ]

4.  

   

   MicroSourcing, Jan 27th, 2011 @ 10:13pm

   
   

   Amazon's really sneaky that way. The last thing they'd want if for their old password users to question the site's data security. Unless a drastic case of hacking happens, though, they're likely to keep mum on it.

   [ reply to this | link to this | view in thread ]

5.  

   

   Anonymous Coward, Jan 28th, 2011 @ 1:52am

   
   

   I imagine this occurs with regularity all across the net. Anyone who follows netsec is fairly aware "secure" is the exception rather than the rule.

   [ reply to this | link to this | view in thread ]

6.  

   

   Cynix, Jan 28th, 2011 @ 3:27am

   
   

   Yeah, I saw this problem on an old version of the Linux firewall, SmoothWall, years ago. Been fixed since I reported it to them.
   
   www.smoothwall.org

   [ reply to this | link to this | view in thread ]

7.  

   Re: Not so weird

   

   Matt, Jan 28th, 2011 @ 7:10am

   
   

   That wouldn't work because it can only verify the first 8 characters of the password, so essentially what COULD happen is someone would type their password as they always do, let's say their password is "password123" but they accidently type "pasword124". Amazon will only have the hash of the first 8 characters, so it will verify it has accepted, THEN, it will attempt to update the hash, but it will update with the wrong password because the user accidentally entered it incorrectly (which amazon cannot verify with their current hash of only the first 8-chars), and the user may not have realized. Now, the user is locked out of their account.
   
   So, I wouldn't be surprised if they considered what you just mentioned, but that is one rather large issue with doing so.

   [ reply to this | link to this | view in thread ]

8.  

   Re: Re: Not so weird

   

   Matt, Jan 28th, 2011 @ 7:15am

   
   

   Typo in my post "password124" *

   [ reply to this | link to this | view in thread ]

9.  

   Re: Re: Not so weird

   

   codeslave (profile), Jan 28th, 2011 @ 8:21am

   
   

   True, they couldn't automatically update the password hash on the first success. They could keep track of all of successful logins and eventually switch over after a certain number of successes. Then again, if it was 10 successful logins to convert someone other and they goofed on the 10th, they'd be locked out. So they'd have to store both the old style hash and the new one and compare both... at a certain point it would just be easier to tell the user, "you haven't changed your password in X years, please do so now."

   [ reply to this | link to this | view in thread ]

10.  

    Re: Re: Re: Not so weird

    

    Matt, Jan 28th, 2011 @ 9:02am

    
    

    I agree with you on your final thought, they should just ask users to change their passwords. :-/

    [ reply to this | link to this | view in thread ]

11.  

    it's actually not a bug

    

    john k., Jan 28th, 2011 @ 11:44am

    
    

    this "bug" has been there since amazon first opened for business. it's an artifact of them using the decades-old unix crypt() programming function. see, it's not your password that amazon stores. when you create your account and enter your first password, they hash it and store the hash.
    
    if you don't know what a hash it, think about it as scrambling the bits around in a specific way. that isn't at all accurate but it conveys the gist.
    
    the idea is that when you later enter your password to login, they hash it using the crypt() function and then compare the two hashes. if they match, then the password you entered to login is correct.
    
    if you want to talk amazon password bugs, way back they used to let you change your password to "" (null). it would lock you out of your account. they fixed that when they started requiring a minimum password length.

    [ reply to this | link to this | view in thread ]

12.  

    Re: Re: Re: Re: Not so weird

    

    monkyyy, Jan 29th, 2011 @ 1:04pm

    
    

    the public eye tends to prefer to not know

    [ reply to this | link to this | view in thread ]

13.  

    

    Terry Malcolm Mullane, Feb 5th, 2012 @ 1:49pm

    
    

    I'm so frustrated with Amazons mobile site. It tells me my pwd is wrong, let's me generate a pwd change link to my email, let's me think I'm changing g that password.... And then won't let me log in with the new pwd either.

    [ reply to this | link to this | view in thread ]

Add Your Comment