(Mis)Uses of Technology

by Mike Masnick

Filed Under:
bug, hash, passwords


Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords

from the passwordblahblah dept

The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Anonymous Coward, Jan 27th, 2011 @ 9:08pm

    I always thought that was a feature.

    I generate a hundred digit password and just paste it there and it takes what it needs.

    But seriously what I really want is a QR-Code password generator, so I can generate a 1024 key in a second and then have the camera read it or drag and drop the image there, no need to remember long strings and you can generate them as often as you like is no problem.

    reply to this | link to this | view in thread ]

  2. icon
    codeslave (profile), Jan 27th, 2011 @ 9:36pm

    Not so weird

    The standard Unix & Linux library function crypt() has always only used the first 8 letters of a password in its default implementation. If they were using this function and storing only the hashed password years ago, they'd have no way to convert them to more secure algorithms until someone changed their password. Amazon probably feels that they can't force people to change their passwords without making users nervous that the company's databases has been hacked. The easiest thing to do would have been to silently update the hashed password the next time someone logged in - after several months, all of the active accounts would have been updated.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, Jan 27th, 2011 @ 10:08pm

    SW Airlines had this going on for a while a few years ago. Don't know if it got reported.

    reply to this | link to this | view in thread ]

  4. identicon
    MicroSourcing, Jan 27th, 2011 @ 10:13pm

    Amazon's really sneaky that way. The last thing they'd want if for their old password users to question the site's data security. Unless a drastic case of hacking happens, though, they're likely to keep mum on it.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, Jan 28th, 2011 @ 1:52am

    I imagine this occurs with regularity all across the net. Anyone who follows netsec is fairly aware "secure" is the exception rather than the rule.

    reply to this | link to this | view in thread ]

  6. identicon
    Cynix, Jan 28th, 2011 @ 3:27am

    Yeah, I saw this problem on an old version of the Linux firewall, SmoothWall, years ago. Been fixed since I reported it to them.


    reply to this | link to this | view in thread ]

  7. identicon
    Matt, Jan 28th, 2011 @ 7:10am

    Re: Not so weird

    That wouldn't work because it can only verify the first 8 characters of the password, so essentially what COULD happen is someone would type their password as they always do, let's say their password is "password123" but they accidently type "pasword124". Amazon will only have the hash of the first 8 characters, so it will verify it has accepted, THEN, it will attempt to update the hash, but it will update with the wrong password because the user accidentally entered it incorrectly (which amazon cannot verify with their current hash of only the first 8-chars), and the user may not have realized. Now, the user is locked out of their account.

    So, I wouldn't be surprised if they considered what you just mentioned, but that is one rather large issue with doing so.

    reply to this | link to this | view in thread ]

  8. identicon
    Matt, Jan 28th, 2011 @ 7:15am

    Re: Re: Not so weird

    Typo in my post "password124" *

    reply to this | link to this | view in thread ]

  9. icon
    codeslave (profile), Jan 28th, 2011 @ 8:21am

    Re: Re: Not so weird

    True, they couldn't automatically update the password hash on the first success. They could keep track of all of successful logins and eventually switch over after a certain number of successes. Then again, if it was 10 successful logins to convert someone other and they goofed on the 10th, they'd be locked out. So they'd have to store both the old style hash and the new one and compare both... at a certain point it would just be easier to tell the user, "you haven't changed your password in X years, please do so now."

    reply to this | link to this | view in thread ]

  10. identicon
    Matt, Jan 28th, 2011 @ 9:02am

    Re: Re: Re: Not so weird

    I agree with you on your final thought, they should just ask users to change their passwords. :-/

    reply to this | link to this | view in thread ]

  11. identicon
    john k., Jan 28th, 2011 @ 11:44am

    it's actually not a bug

    this "bug" has been there since amazon first opened for business. it's an artifact of them using the decades-old unix crypt() programming function. see, it's not your password that amazon stores. when you create your account and enter your first password, they hash it and store the hash.

    if you don't know what a hash it, think about it as scrambling the bits around in a specific way. that isn't at all accurate but it conveys the gist.

    the idea is that when you later enter your password to login, they hash it using the crypt() function and then compare the two hashes. if they match, then the password you entered to login is correct.

    if you want to talk amazon password bugs, way back they used to let you change your password to "" (null). it would lock you out of your account. they fixed that when they started requiring a minimum password length.

    reply to this | link to this | view in thread ]

  12. identicon
    monkyyy, Jan 29th, 2011 @ 1:04pm

    Re: Re: Re: Re: Not so weird

    the public eye tends to prefer to not know

    reply to this | link to this | view in thread ]

  13. identicon
    Terry Malcolm Mullane, Feb 5th, 2012 @ 1:49pm

    I'm so frustrated with Amazons mobile site. It tells me my pwd is wrong, let's me generate a pwd change link to my email, let's me think I'm changing g that password.... And then won't let me log in with the new pwd either.

    reply to this | link to this | view in thread ]

  14. identicon
    Amanda Livingstone, Dec 18th, 2012 @ 12:20pm

    Amazon password reset CR*P

    This has happened to me all year, password does not work, so you go through the rigmarole of the password reset, which is ok for the session, but then it won't work for any subsequent sessions, so you go through this cr*p again.

    Get tired of doing this, so call customer support, who make you go through the above cr*p all over again, only to say they don't know what is happening!!!


    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.