Old Amazon Accounts at Risk Due to Security Flaw

[JMcEntegart]

Amazon reportedly has a password problem that makes it easier for someone to gain access to your account.

Old Amazon Accounts at Risk Due to Security Flaw : Read more

 

[dogman_1234]

And I wanted to buy from Amazon! Well, hope they resolve it before anything goes down. Would hate to see them fall with the hundreds of stolen passwords. Think of what would happen to THG if this happened.

 

[trainreks]

they just realized this ? I realized this months ago when i accidentally mistyped my password and it let me in

 

[dalauder]

So my first 8 characters of my password still work--it's just not case sensitive. This isn't really a big deal, but Amazon should have notified users of a "change to password policy" that required all users to create a new password and allowed the previous password to be used.

 

[Guest]

Hey, how did you guys know my new password?

 

[endoftheline2]

I tried this flaw and it does not work on my current password, which I have not changed for quite some time.

A bigger security issue, is the fact they still let you use a 4 character password.

 

[gagaga]

[citation][nom]otacon72[/nom]I hope you're being sarcastic..if not you might want to read the article. It has nothing to do about stealing passwords. I use the same 10 digit alphanumeric with ascii characters password for everything. Someone wants to try an crack that be my guest.[/citation]

What, like the rogue admin of a site you use that stores passwords in clear text in their database?

Strong passwords are only strong if they are only used in one place.

 

[marcus_br]

Yes, VERY insecure...you just have to guess a 8 digit alphanumeric password, put simply...your chances are: 1 in 37 exp 8...a very easy to crack pass...at 3.512.479.453.921 possibilities.

Considering the account gets locked when you try X times...it may take just a few gazillion years...VERY RISKY!

 

[ssddx]

[citation][nom]gagaga[/nom]Strong passwords are only strong if they are only used in one place.[/citation]
so true. everyone should keep a spare binder around with the hundreds of different username/passcode combinations. all alphanumeric with special characters. this isn't going to happen for the majority of society. at least the pasword isnt 123456.
----
amazon should really send out an email telling people to update their passwords (if only to change them right back) just so the accounts get updated. the first 8 characters of a password should be strong anyways (if not perhaps rethink your password!)

 

[waikano]

Just checked mine. Case sensitivity was not working (in that if I used the wrong case I could still get in), but I couldn't just add anything after the 8th character to get it to work. So not sure what gives there. After changing it, both case-sensitivity and 9+ characters appear to work securely.

 

[PudgyChicken]

Yet again, another piece of old news. Get with the times TH.

 

[Pawessum16]

Wow! Glad this was pointed out and amazon needs to send something out to all of it's users. I just tried it and yep case sensitivity doesn't matter and after the 8th character I can put whatever the heck I want in.

 

[geof2001]

[citation][nom]ssddx[/nom]so true. everyone should keep a spare binder around with the hundreds of different username/passcode combinations. all alphanumeric with special characters. this isn't going to happen for the majority of society. at least the pasword isnt 123456.----amazon should really send out an email telling people to update their passwords (if only to change them right back) just so the accounts get updated. the first 8 characters of a password should be strong anyways (if not perhaps rethink your password!)[/citation]

How did you know my password!! Now i'll have to come up with a new one maybe 987654... oh wait..

 

[mark0718]

There was a bug in many flavors of UNIX around 1990 such that only the first 8
characters of the login password were used. Complicating the matter was the
fact the all of the characters in the {new password} and {confirmation new password}
had to match in order to change the password, which gave the false impression
that all of the characters of the {new password} were used.

Note that the text in the article says only 7 characters ("8th character forward") in one
place, but 8 characters in other places. The before 1990 bug meant the passwords
were 8 characters maximum effective length. I can't tell if the new problem
is 7 or 8 characters maximum effective length, but my guess is 8.

 

[rhino13]

Ah it's all over now I only have an 8 char password.

No wait. That's still fine with me, you only get a few misguesses sometime between now and 2014 when someone would actually randomly generate my password I'll be sure to change it.

 

[hellwig]

Amazon's stupid CAPTCHA doesn't load in Opera 11 (but lots of things broke in 11, stupid Opera). I had to go to I.E. to change my password, very annoying.

I use a common strong password, but customize it with something related to the site. For instance, my Tom's password might ABcd#!123-TomsHW, while my Yahoo password might be ABcd#123yahoo! The strong-part is easily remembered because I use it everywhere, while the weaker tail means you can't hack Tom's forums and then log into my email account. I remember the TOS from some shady forum site once that said that you gave the site permission to try to log into your email account using the email address you provided and the password you used for their site. Scared me straight, and I've used stronger and different passwords ever since.

 

[mayankleoboy1]

this confirms that amazon is crap.

 

[verbalizer]

I have to go and erase my amazon info now...
thanks QA team..

 

[timobkg]

Confirmed, and password changed. Thanks Tom's.

 

[eddieroolz]

I'd like to know how old this issues goes back, and also if this affects Amazon International, not just the US (presumably).