by Mike Masnick
Thu, Jan 27th 2011 8:36pm
The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.
If you liked this post, you may also be interested in...
- Government Argues That Indefinite Solitary Confinement Perfectly Acceptable Punishment For Failing To Decrypt Devices
- Redaction Failure In FTC/Amazon Decision Inadvertently Allows Public To See Stuff It Should Have Been Able To See Anyway
- CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget
- DailyDirt: Cheering For Mathletes
- The FBI Claims Failure To Guess Password Will Make Data 'Permanently Inaccessible,' Which Isn't True