Amazon security flaw lets you log in with wrong password

By on January 31, 2011, 3:08 PM
Reddit users have discovered a security flaw on Amazon that lets you access an older account with an incorrect password. Commenters speculate that Amazon used the Unix crypt() function to encrypt certain passwords, truncating them to a maximum of eight characters long. Additionally, it's believed that Amazon converted all the passwords to upper-case before storing them on its servers.

For example, say your password is "Superman". Amazon's login would accept "superman", "SuPeRmAn", "SUPERMANISCOOL", or "superman12345". Again, this supposedly only affects older passwords, but a precise timeframe isn't known. Two commenters claim their 2008 and 2009 accounts are affected, while others say they haven't changed their password in six years and everything is fine. For what it's worth, the flaw doesn't work on my 2004 account.

An Amazon employee posting on Reddit said the company is aware of the issue and it's being addressed. In the meantime, you can mitigate the problem by going through Amazon's password change procedure. Your "new" password can be identical to your old one, but it will be stored with improved security.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.