Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords

from the passwordblahblah dept

The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some “older” passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters — “password” — will work. So, just plain old “password.” Or “passwordblahblahblah.” Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the “full” password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.

Filed Under: , ,
Companies: amazon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I always thought that was a feature.

I generate a hundred digit password and just paste it there and it takes what it needs.

But seriously what I really want is a QR-Code password generator, so I can generate a 1024 key in a second and then have the camera read it or drag and drop the image there, no need to remember long strings and you can generate them as often as you like is no problem.

codeslave (profile) says:

Not so weird

The standard Unix & Linux library function crypt() has always only used the first 8 letters of a password in its default implementation. If they were using this function and storing only the hashed password years ago, they’d have no way to convert them to more secure algorithms until someone changed their password. Amazon probably feels that they can’t force people to change their passwords without making users nervous that the company’s databases has been hacked. The easiest thing to do would have been to silently update the hashed password the next time someone logged in – after several months, all of the active accounts would have been updated.

Matt says:

Re: Not so weird

That wouldn’t work because it can only verify the first 8 characters of the password, so essentially what COULD happen is someone would type their password as they always do, let’s say their password is “password123” but they accidently type “pasword124”. Amazon will only have the hash of the first 8 characters, so it will verify it has accepted, THEN, it will attempt to update the hash, but it will update with the wrong password because the user accidentally entered it incorrectly (which amazon cannot verify with their current hash of only the first 8-chars), and the user may not have realized. Now, the user is locked out of their account.

So, I wouldn’t be surprised if they considered what you just mentioned, but that is one rather large issue with doing so.

codeslave (profile) says:

Re: Re: Not so weird

True, they couldn’t automatically update the password hash on the first success. They could keep track of all of successful logins and eventually switch over after a certain number of successes. Then again, if it was 10 successful logins to convert someone other and they goofed on the 10th, they’d be locked out. So they’d have to store both the old style hash and the new one and compare both… at a certain point it would just be easier to tell the user, “you haven’t changed your password in X years, please do so now.”

john k. says:

it's actually not a bug

this “bug” has been there since amazon first opened for business. it’s an artifact of them using the decades-old unix crypt() programming function. see, it’s not your password that amazon stores. when you create your account and enter your first password, they hash it and store the hash.

if you don’t know what a hash it, think about it as scrambling the bits around in a specific way. that isn’t at all accurate but it conveys the gist.

the idea is that when you later enter your password to login, they hash it using the crypt() function and then compare the two hashes. if they match, then the password you entered to login is correct.

if you want to talk amazon password bugs, way back they used to let you change your password to “” (null). it would lock you out of your account. they fixed that when they started requiring a minimum password length.

Amanda Livingstone (user link) says:

Re: Amazon password reset CR*P

This has happened to me all year, password does not work, so you go through the rigmarole of the password reset, which is ok for the session, but then it won’t work for any subsequent sessions, so you go through this cr*p again.

Get tired of doing this, so call customer support, who make you go through the above cr*p all over again, only to say they don’t know what is happening!!!


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...