by Mike Masnick
Thu, Jan 27th 2011 8:36pm
The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.
If you liked this post, you may also be interested in...
- ...And Here Come The Device-Restricted Music Subscriptions
- Techdirt Podcast Episode 92: Passwords Suck; What's Next?
- New California Law Attempts To Fight Hollywood Ageism By Censoring Third-Party Websites
- Another Bad EU Ruling: WiFi Providers Can Be Forced To Require Passwords If Copyright Holders Demand It
- UK Politician's Campaign Staff Tweets Out Picture Of Login And Password To Phones During Campaign Phone Jam