by Mike Masnick
Thu, Jan 27th 2011 8:36pm
The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.
If you liked this post, you may also be interested in...
- Canadian Law Enforcement Want Government To Force People To Turn Over Their Passwords
- Stupid Patent of the Month: Solocron Education Trolls With Password Patent
- Amazon, Cable Industry Molest The Definition Of Copyright In Ongoing Scuff Up Over Cable Box Reform
- Appeals Court Says That Sharing Passwords Can Violate Criminal Anti-Hacking Laws
- Techdirt Podcast Episode 78: What's Next For Online Video?