by Mike Masnick
Thu, Jan 27th 2011 8:36pm
The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.
If you liked this post, you may also be interested in...
- The MPAA Will Let Amazon Touch Its Stuff, But Only If It Agrees To A Ton Of Stipulations
- ISP Can't Figure Out How To Automate A Password Reset, But Is Happy To E-mail Your Password In Plain Text
- RIAA Asks BitTorrent Inc. To Block Infringing Content With A Hash Filter
- Authors Guilded, United, And Representing... Not Authors
- DailyDirt: Passwords Suck, But What's Better?