Old Amazon Accounts at Risk Due to Security Flaw

Status
Not open for further replies.

dogman_1234

Distinguished
Oct 31, 2009
171
0
18,630
0
And I wanted to buy from Amazon! Well, hope they resolve it before anything goes down. Would hate to see them fall with the hundreds of stolen passwords. Think of what would happen to THG if this happened.
 

dalauder

Distinguished
Aug 30, 2010
356
0
18,960
17
So my first 8 characters of my password still work--it's just not case sensitive. This isn't really a big deal, but Amazon should have notified users of a "change to password policy" that required all users to create a new password and allowed the previous password to be used.
 

endoftheline2

Distinguished
May 9, 2009
20
0
18,560
0
I tried this flaw and it does not work on my current password, which I have not changed for quite some time.

A bigger security issue, is the fact they still let you use a 4 character password.
 

gagaga

Distinguished
Jan 19, 2006
5
0
18,510
0
[citation][nom]otacon72[/nom]I hope you're being sarcastic..if not you might want to read the article. It has nothing to do about stealing passwords. I use the same 10 digit alphanumeric with ascii characters password for everything. Someone wants to try an crack that be my guest.[/citation]

What, like the rogue admin of a site you use that stores passwords in clear text in their database?

Strong passwords are only strong if they are only used in one place.
 

marcus_br

Distinguished
Jun 5, 2009
28
0
18,580
0
Yes, VERY insecure...you just have to guess a 8 digit alphanumeric password, put simply...your chances are: 1 in 37 exp 8...a very easy to crack pass...at 3.512.479.453.921 possibilities.

Considering the account gets locked when you try X times...it may take just a few gazillion years...VERY RISKY!
 

ssddx

Glorious
Moderator
[citation][nom]gagaga[/nom]Strong passwords are only strong if they are only used in one place.[/citation]
so true. everyone should keep a spare binder around with the hundreds of different username/passcode combinations. all alphanumeric with special characters. this isn't going to happen for the majority of society. at least the pasword isnt 123456.
----
amazon should really send out an email telling people to update their passwords (if only to change them right back) just so the accounts get updated. the first 8 characters of a password should be strong anyways (if not perhaps rethink your password!)
 

waikano

Distinguished
Feb 13, 2008
56
0
18,580
0
Just checked mine. Case sensitivity was not working (in that if I used the wrong case I could still get in), but I couldn't just add anything after the 8th character to get it to work. So not sure what gives there. After changing it, both case-sensitivity and 9+ characters appear to work securely.
 

Pawessum16

Distinguished
Nov 3, 2010
56
0
18,580
0
Wow! Glad this was pointed out and amazon needs to send something out to all of it's users. I just tried it and yep case sensitivity doesn't matter and after the 8th character I can put whatever the heck I want in.
 

geof2001

Distinguished
May 23, 2008
24
0
18,560
0
[citation][nom]ssddx[/nom]so true. everyone should keep a spare binder around with the hundreds of different username/passcode combinations. all alphanumeric with special characters. this isn't going to happen for the majority of society. at least the pasword isnt 123456.----amazon should really send out an email telling people to update their passwords (if only to change them right back) just so the accounts get updated. the first 8 characters of a password should be strong anyways (if not perhaps rethink your password!)[/citation]

How did you know my password!! Now i'll have to come up with a new one maybe 987654... oh wait..
 

mark0718

Distinguished
Jul 18, 2008
12
0
18,560
0
There was a bug in many flavors of UNIX around 1990 such that only the first 8
characters of the login password were used. Complicating the matter was the
fact the all of the characters in the {new password} and {confirmation new password}
had to match in order to change the password, which gave the false impression
that all of the characters of the {new password} were used.

Note that the text in the article says only 7 characters ("8th character forward") in one
place, but 8 characters in other places. The before 1990 bug meant the passwords
were 8 characters maximum effective length. I can't tell if the new problem
is 7 or 8 characters maximum effective length, but my guess is 8.
 

rhino13

Distinguished
Apr 17, 2009
256
0
18,930
0
Ah it's all over now I only have an 8 char password.

No wait. That's still fine with me, you only get a few misguesses sometime between now and 2014 when someone would actually randomly generate my password I'll be sure to change it.
 

hellwig

Distinguished
May 29, 2008
817
0
18,930
2
Amazon's stupid CAPTCHA doesn't load in Opera 11 (but lots of things broke in 11, stupid Opera). I had to go to I.E. to change my password, very annoying.

I use a common strong password, but customize it with something related to the site. For instance, my Tom's password might ABcd#!123-TomsHW, while my Yahoo password might be ABcd#123yahoo! The strong-part is easily remembered because I use it everywhere, while the weaker tail means you can't hack Tom's forums and then log into my email account. I remember the TOS from some shady forum site once that said that you gave the site permission to try to log into your email account using the email address you provided and the password you used for their site. Scared me straight, and I've used stronger and different passwords ever since.
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
N Streaming Video & TVs 1
L Streaming Video & TVs 3
J Streaming Video & TVs 1
W Streaming Video & TVs 3
N Streaming Video & TVs 3
Ryanad98 Streaming Video & TVs 2
A Streaming Video & TVs 1
Marshall Honorof Streaming Video & TVs 0
H Streaming Video & TVs 1
Adom Streaming Video & TVs 2
J Streaming Video & TVs 1
J Streaming Video & TVs 6
T Streaming Video & TVs 1
T Streaming Video & TVs 1
R Streaming Video & TVs 5
D Streaming Video & TVs 6
R Streaming Video & TVs 0
B Streaming Video & TVs 1
M Streaming Video & TVs 2
D Streaming Video & TVs 2

ASK THE COMMUNITY