Do you make sure your passwords are unique across sites? Do you make sure to use letters (both upper and lower case), numbers, and special symbols? Do you use passwords that are more than eight characters long? Well all of that may have lulled you into a false sense of security at Amazon.com because, according to reddit.com, unless you have recently changed your password most of the complexity has been removed.
The problem is with the way Amazon stores the password. The system first converts all of the letters to upper-case which makes “MyPaSsWd123” the same as “mypasswd123” or “MYPAsswd123.” Next, it strips off everything after the eighth character. What this means is that “MyPaSsWd123” is simply stored as “MYPASSWD” in Amazon’s systems. Knowing this information makes attacking the password a much easier task.
The issue is most likely due to the fact that Amazon was using an older crypt() function that takes only the first eight characters. This was common on UNIX servers where the username and password hash were stored in the /etc/passwd file. Newer implementations move the hash to a more secure location and allow longer passwords.
It appears that the fix is to simply login to Amazon’s site and change your password. Users are reporting that this method allows for longer passwords of both upper and lower case letters. This works because new passwords are encrypted using new encryption processes, but instead of informing users of this change Amazon apparently simply moved legacy passwords into the new system.
49 Comments - Add comment