Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Amazon Flaw Lets Password Variants Through

timothy posted more than 3 years ago | from the liberal-in-what-you-accept-but-not-here dept.

Security 159

Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)

cancel ×

159 comments

Sorry! There are no comments related to the filter you selected.

Opooh did someone body say first post (-1, Offtopic)

Noog (934684) | more than 3 years ago | (#35039678)

oooh yeah check my dubs

The UNIX crypt tool is not at fault (3, Insightful)

geekoid (135745) | more than 3 years ago | (#35039688)

It's the cheap ass developers fault.

Re:The UNIX crypt tool is not at fault (0)

Anonymous Coward | more than 3 years ago | (#35040156)

What made them think the UNIX crypt tool was at fault?

Re:The UNIX crypt tool is not at fault (2)

Culture20 (968837) | more than 3 years ago | (#35040202)

Solaris nisplus has a history of only dealing with the first eight characters for passwords, but if this is true, it means they are running a _very_ old system.
They might also be using single-DES. http://en.wikipedia.org/wiki/Crypt_(Unix)#Traditional_DES-based_scheme [wikipedia.org]

Re:The UNIX crypt tool is not at fault (1)

icebraining (1313345) | more than 3 years ago | (#35040252)

What's more likely is that they were running a very old system, and have passwords from those times still in the database; these are usually upgraded when the user logs in again, but some people never logged in again.

Re:The UNIX crypt tool is not at fault (1)

nxtw (866177) | more than 3 years ago | (#35040482)

What's more likely is that they were running a very old system, and have passwords from those times still in the database; these are usually upgraded when the user logs in again, but some people never logged in again.

If they have stored truncated case insensitive passwords or hashes, how do they know what users' correct passwords are? Should they reset users' passwords to the first password they type that matches the hash? No, because then a typo (accidental case mismatch or extra/missing/wrong characters after the eighth) would result in the user's password just being wrong.

This is why long-time and frequent Amazon users are still affected if they've not changed their password recently.

Re:The UNIX crypt tool is not at fault (1)

stoborrobots (577882) | more than 3 years ago | (#35040278)

I remember that crypt used to only care about the first 8 characters, but I don't remember anything about it being case insensitive... Where did that come from?

Re:The UNIX crypt tool is not at fault (-1)

Anonymous Coward | more than 3 years ago | (#35040352)

Because *n?x sucks.

Re:The UNIX crypt tool is not at fault (2)

mysidia (191772) | more than 3 years ago | (#35040564)

It's the cheap ass developers fault.

And it continues to be their fault. They can fix this easily.

Whenever a user logs in... check if their password is stored using crypt(). If it IS, then take the password they just used to login, and compute a stronger blowfish/salted md5 hash. Replace the crypted password with the strong hash.

No reason they couldn't have done that when they first introduced stronger password hashing.

Re:The UNIX crypt tool is not at fault (3, Interesting)

Bill Dog (726542) | more than 3 years ago | (#35040652)

If it IS, then take the password they just used to login,

But if the problem with the system is that mixed-case and extra characters are allowed in the case of older passwords, what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down? Or accidently hit another character-generating key while fumbling for the enter key?

They'll be logged in. But not next time, because their password is not what they think it is. And even if they'd been entering it wrong for years, if they'd written down somewhere the correct one, they'd find that that also does not work. Much bewilderment and negative feelings about Amazon would ensue.

Re:The UNIX crypt tool is not at fault (3, Informative)

mysidia (191772) | more than 3 years ago | (#35040836)

what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down

Unix crypt() is NOT case-insensitive. If the Amazon passwords are case-insensitive due to crypt, then it is due to them converting the field to all lowercase or all uppercase before passing the input to crypt(). They could continue to do so; although, case-insensitive was inadvisable in the first place, they would have painted them into a corner -- however, they can still prompt the user to change their password after a successful login, and make the pw change mandatory.

Re:The UNIX crypt tool is not at fault (1)

nitrogensixteen (812667) | more than 3 years ago | (#35041062)

The stored password hash is of a lower case input string. The original password could have any permutation of upper/lower letters but all of these would map to the same hash. The password system must request the password again, because the number of input strings that will hash properly is > 1. Whose fault it is has nothing to do with his point. You can't just take the password that resulted in successful login and rehash it, because the mapping is not injective.

Re:The UNIX crypt tool is not at fault (1)

thePig (964303) | more than 3 years ago | (#35041164)

No - this is a basic testcase for any login scenario - the person who is at fault is the tester

Re:The UNIX crypt tool is not at fault (1)

Z00L00K (682162) | more than 3 years ago | (#35041392)

And the person that did write the specification of how it should be done.

Assuming that there are specifications.

Re:The UNIX crypt tool is not at fault (0)

Anonymous Coward | more than 3 years ago | (#35041466)

It's not the developers fault, it's managements fault. I worked at a very large company once, and despite my disapproval of even the thought of the idea and reluctance to implement it, management forced me to implement something very very similar to this bad bad thing.

Uhm... (5, Funny)

Anonymous Coward | more than 3 years ago | (#35039696)

Is it supposed to show all of my passwords in the article? Or do you just see stars?

Re:Uhm... (0)

geekoid (135745) | more than 3 years ago | (#35039928)

we just see star. The same thing with credit card numbers and SSN. go on, give it a try.

Oh, important tip: it will only put stars there if the number is preceded with the security number on the back.

Re:Uhm... (1, Informative)

bhcompy (1877290) | more than 3 years ago | (#35039970)

/oblig

[Cthon98] hey, if you type in your pw, it will show as stars
[Cthon98] ********* see!
[AzureDiamond] hunter2
[AzureDiamond] doesnt look like stars to me
[Cthon98] [AzureDiamond] *******
[Cthon98] thats what I see
[AzureDiamond] oh, really?
[Cthon98] Absolutely
[AzureDiamond] you can go hunter2 my hunter2-ing hunter2
[AzureDiamond] haha, does that look funny to you?
[Cthon98] lol, yes. See, when YOU type hunter2, it shows to us as *******
[AzureDiamond] thats neat, I didnt know IRC did that
[Cthon98] yep, no matter how many times you type hunter2, it will show to us as *******
[AzureDiamond] awesome!
[AzureDiamond] wait, how do you know my pw?
[Cthon98] er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
[AzureDiamond] oh, ok.

Re:Uhm... (3, Funny)

SpooForBrains (771537) | more than 3 years ago | (#35039964)

I see Hunter2

Re:Uhm... (1)

lul_wat (1623489) | more than 3 years ago | (#35040288)

Wow you must have the same password as them, I just see ********

Re:Uhm... (1)

Z00L00K (682162) | more than 3 years ago | (#35041402)

What's this thread about I only see *-s?

what the fuck? (-1)

Anonymous Coward | more than 3 years ago | (#35039698)

Did digg buy slashdot or something? This place looks like ass and the stories are lame.

Well I'll be damned.... (4, Insightful)

artor3 (1344997) | more than 3 years ago | (#35039704)

Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

Re:Well I'll be damned.... (3, Insightful)

bbqsrc (1441981) | more than 3 years ago | (#35039760)

Now they should consider implementing a 'set new password on next login' rule to rectify this before someone gets screwed over and is enraged.

Re:Well I'll be damned.... (3, Insightful)

KiloByte (825081) | more than 3 years ago | (#35039960)

Or at the very least, update to a semi-modern hash on the next login, when the unhashed version will be known. Since they, like most web pages, don't use a challenge-response scheme but transmit the password as-is (at least over SSL, unlike Facebook's default), this is a trivial thing to do.

Forcing a password change would bring some security, but they're too afraid to spook mrs May type users for that.

Re:Well I'll be damned.... (0)

Anonymous Coward | more than 3 years ago | (#35040122)

You don't know the unhashed version for sure. What if there was a difference in capitalization, or a stray character appended to the end of a password?

Re:Well I'll be damned.... (1)

mysidia (191772) | more than 3 years ago | (#35040592)

You don't know the unhashed version for sure. What if there was a difference in capitalization, or a stray character appended to the end of a password?

On first login you generate the strong hash and store it in an auxillary database field.

You store both the strong hash and the weak crypt() hash side by side; and on the second login you replace the old crypt() hash. Alternatively... you prompt them to enter a new password twice on the first login (which can be the same or different from the old one).

Re:Well I'll be damned.... (1)

AmberBlackCat (829689) | more than 3 years ago | (#35040032)

Or should we all buy a bunch of stuff and swear somebody else did it?

Re:Well I'll be damned.... (1)

mlts (1038732) | more than 3 years ago | (#35040042)

This. There are still a lot of UNIX boxes out which are still using crypt(3), so they are using 8 characters max. There are only two fixes that can be done on this:

1: Force a password change to 8+ characters.
2: Ask a challenge question, such as an address stored on the account, or credit card used.

Re:Well I'll be damned.... (1)

tool462 (677306) | more than 3 years ago | (#35039796)

Ditto. But on the plus side, it did give me a reason to change my password to something much stronger than it used to be.

Re:Well I'll be damned.... (1)

Blig (1167531) | more than 3 years ago | (#35040644)

Ditto. But on the plus side, it did give me a reason to change my password to something much stronger than it used to be.

Agreed. Did so here too.

Re:Well I'll be damned.... (1)

roc97007 (608802) | more than 3 years ago | (#35039934)

Be damned. Same here. Exactly.

Re:Well I'll be damned.... (1)

HeronBlademaster (1079477) | more than 3 years ago | (#35039998)

This is the solution Amazon will give you if you contact them about it. (The reasons this situation arose are, of course, historical. It's the sort of thing that can happen if you want to improve the way you store passwords, but don't want to prevent existing customers from logging in.)

This issue only affects people who have not changed their account password for something like five years.

Re:Well I'll be damned.... (1)

LO0G (606364) | more than 3 years ago | (#35040678)

When Microsoft did essentially the same thing [wikipedia.org] it was touted (and is still being touted) as being an example of why Microsoft doesn't get security.... Somehow it was inexcusable to make this mistake in 1987 (when the LM hash was invented) but it's "ok" to do it in 2011?

Just sayin'

Re:Well I'll be damned.... (1)

HeronBlademaster (1079477) | more than 3 years ago | (#35040688)

I didn't say it's ok to do ;) Besides, they fixed it. If you reset your password, the issue goes away. I don't really see what more you want.

Re:Well I'll be damned.... (1)

LO0G (606364) | more than 3 years ago | (#35041016)

I'm not commenting on Amazon's actions - they need to do more (proactively warning customers with really old passwords would be a good start) but it's good that the fix is easy.

I was making a comment about the double standard implicit in the thread - there are a lot of "it's ok that Amazon screwed up here because it's easy to make such a mistake" attitude. On the other hand, 20+ years ago MSFT made essentially the same mistake (and fixed it 15+ years ago) and it's still being used as an example of why "Microsoft fundamentally doesn't get security".

In hindsight, I probably shouldn't have picked on your comment to mention it - your response was in fact informative and if I had mod points (and I hadn't commented) I'd have modded it up.

Re:Well I'll be damned.... (1)

Skater (41976) | more than 3 years ago | (#35040316)

Here's what makes me wonder. I've been following this thread on thedailywtf.com [thedailywtf.com] about password stupidities, and someone in that list mentioned this very issue on 1/8. Now I see it on reddit and Slashdot...

Re:Well I'll be damned.... (0)

Anonymous Coward | more than 3 years ago | (#35040472)

I just did the same thing as you did and had the same experience. I guess I'll have to check around.

At least Amazon and Wells Fargo (and others) take special characters in their passwords. Discover Card won't and that peeves me to no end.

Just tried it, and they're right (1)

93 Escort Wagon (326346) | more than 3 years ago | (#35039720)

My password was generated using the built-in OS X password tool, so I don't have my Amazon password memorized. I looked it up in the Keychain, then changed all the lower-case letters to upper-case - Amazon let me log in.

Guess I'd better change my password!

Not concerned at all. (1)

Anonymous Coward | more than 3 years ago | (#35039728)

Luckily I am not affected. My password is 'p31men$!' and so even if there are capital variants, the use of numbers and symbols makes it very hard to crack. I am completely safe.

Re:Not concerned at all. (0)

Anonymous Coward | more than 3 years ago | (#35039916)

Now to just use that password on every available account. There's less of those than password variants :D

Re:Not concerned at all. (1)

Golddess (1361003) | more than 3 years ago | (#35040798)

Your account name is your email address. While it may be true that there are more password variants than email address variants, there's still a heck of a lot of email address variants. You'd prolly have better luck just trying "password" on every single email address variant.

So, despite knowing it was a problem... (1)

RobbieThe1st (1977364) | more than 3 years ago | (#35039750)

they obviously didn't care enough to: 1. Send out an email to all affected people AND/OR 2. Disable those people's passwords after a certain period of time, forcing them to use the forgot password link. I dunno... I personally value securitty over forcing a bunch of people to reset their passwords. SO WHAT if a few people complain? It's better that than people losing money over this. *sigh*

Re:So, despite knowing it was a problem... (2)

geekoid (135745) | more than 3 years ago | (#35039814)

I have an account and I don't care. Seriously the threat here is only in the most technical case. IN practicality it's not really a big deal.

I don't think they should care about case anyways.

Re:So, despite knowing it was a problem... (0)

Anonymous Coward | more than 3 years ago | (#35039866)

Can someone get down off their high horse long enough to explain just how this was a poor security practice on Amazon's part?

Re:So, despite knowing it was a problem... (4, Informative)

rsborg (111459) | more than 3 years ago | (#35039978)

Can someone get down off their high horse long enough to explain just how this was a poor security practice on Amazon's part?

Read the article... this isn't a huge flaw, just one that reduces the complexity of cracking an existing password.

If someone manages to break into Amazon (or do an inside job), they could theoretically steal a LOT of passwords (mine was impacted prior to changing it just now) by downloading the database and running a simple rainbow table [wikipedia.org] against it.... given that crypt limited the length to 8 and they case-insensitized the passwords, that's quite easy to crack even at 8 characters.

Cracked password means likely 1 or more credit card numbers per account compromised, which is a decent pay-off.

Furthermore there is the security issue of password re-use wherein an Amazon account would give an email address, and the attacker could try the email address of the account with the same password.

Re:So, despite knowing it was a problem... (1)

hawguy (1600213) | more than 3 years ago | (#35040124)

Cracked password means likely 1 or more credit card numbers per account compromised, which is a decent pay-off.

I don't see how a hacked account leads to a compromised credit card number. My full credit card number is not visible to me on Amazon, and if I try to ship an order to a new address, it asks for CC number again (or maybe just the card verification code).

So the worst that could happen would be that someone would order 100 copies of Sarah Palin's book and have them shipped to my home address.

Re:So, despite knowing it was a problem... (0)

Anonymous Coward | more than 3 years ago | (#35040748)

When what you usually order is 100 vibrating butt plugs?

Re:So, despite knowing it was a problem... (1)

hawguy (1600213) | more than 3 years ago | (#35040786)

When what you usually order is 100 vibrating butt plugs?

Amazon sells the vibrating ones?! Wish I'd know that before my last order!

Re:So, despite knowing it was a problem... (1)

Cato (8296) | more than 3 years ago | (#35041692)

Mod parent up - grabbing the whole encrypted password list is often surprisingly easy with SQL injection attacks, unfortunately. This is also how some spammers get email addresses from any site that records them and has a suitable SQL injection vulnerability.

Re:So, despite knowing it was a problem... (1)

TheLink (130905) | more than 3 years ago | (#35041174)

It's not a big deal.

The practice of stupid security questions is far worse, and seems to be about as common if not more.

Those reduce the security for "normal" users more than passwords being case insensitive and truncated to 8 characters.

Thankfully... (4, Funny)

Junta (36770) | more than 3 years ago | (#35039774)

My password of hunter2 was not compromised.

Re:Thankfully... (0)

Anonymous Coward | more than 3 years ago | (#35039846)

All I see is "My password of ******* was not compromised."

Re:Thankfully... (1)

yanyan (302849) | more than 3 years ago | (#35041102)

Hey that's my password, you insensitive clod!

Re:Thankfully... (3, Funny)

smellotron (1039250) | more than 3 years ago | (#35041482)

Hey that's my ********, you insensitive clod!

What?

Why exactly is this a problem? (4, Insightful)

Man On Pink Corner (1089867) | more than 3 years ago | (#35039784)

Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.

It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")

What's the threat, exactly?

Re:Why exactly is this a problem? (1)

Timmmm (636430) | more than 3 years ago | (#35039904)

I discovered this years ago. I assumed it was deliberate to make logging in on phones easier...

And I agree, I can't really see a situation where this matters.

Re:Why exactly is this a problem? (0)

Anonymous Coward | more than 3 years ago | (#35040072)

Gawker used crypt. Granted there were more things wrong with Gawker than just that, but passwords databases can get out.

Re:Why exactly is this a problem? (1)

yuhong (1378501) | more than 3 years ago | (#35041030)

Yea, system compromises can and do happen, and a weak password hash is going to cause trouble in case of such a compromise.

Re:Why exactly is this a problem? (4, Informative)

Facegarden (967477) | more than 3 years ago | (#35040152)

Any time a system will accept multiple entries for one password, the number of guesses an intruder has to make goes down.

This is generally considered bad.

You should never allow bad logins just to make it easier for people to log in when they can't recall their password, that's the wrong way to do it. You should provide an easy way for them to reset their password, not reduce your security across the board (which means password reset mechanisms must be carefully designed as well).

But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

Simply put, you want passwords to be as secure as you can, limited by your users ability to remember their password. And don't cater to the users who haven't logged in in 3 years, cater to the users who log in every day - keep things secure for them.

Just imagine how many people might use their last name as a password, or their last name plus their birthday. Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.

And for what its worth, I'm blown away that this isn't perfectly clear to every single Slashdot reader.
-Taylor

Re:Why exactly is this a problem? (5, Funny)

MichaelSmith (789609) | more than 3 years ago | (#35040342)

Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.

Re:Why exactly is this a problem? (1)

noidentity (188756) | more than 3 years ago | (#35041636)

What do you mean, is it common for people to know your name?

- Rumplestiltskin

Re:Why exactly is this a problem? (1)

Man On Pink Corner (1089867) | more than 3 years ago | (#35040784)

But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

Statistics does not work that way. As long as we're making up numbers, I'll guess that 0.0001% of those 1000 users will ever have a "guess the password" attack launched against their account.

This is an easy trap to fall into, admittedly. It usually comes up in pharmaceutical trials, where if you actually run the numbers on a new wonder drug, you discover it costs like $50,000,000 for every heart attack or stroke it prevents.

Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.

Weak password is weak. The actual odds of a successful attack are not affected significantly by a fuzzy match.

I could see it making life easier for crackers if the whole database escapes into the wild, of course... but that's another case where the real weakness has nothing to do with the matching algorithm.

Re:Why exactly is this a problem? (0)

Anonymous Coward | more than 3 years ago | (#35040878)

Let's assume I am going to play the lottery. I have a 1 in 3939494578557 chance of winning the jackpot. Now lets say I have bought 6 tickets. WOW! My chances of winning have gone up 6 fold! Wait i'm still going to lose because I now have a 6 in 3939494578557 chance of winning. :o/

Re:Why exactly is this a problem? (1)

blibbo (928752) | more than 3 years ago | (#35040930)

I get your point, but you're exaggerating.

Let's say the attacker could access 100% of accounts, If he can now access 100.01% of accounts, you've put 1000 more accounts at risk. Except those accounts don't exist. That's pretty preposterous, so try the math with 50% of accounts. Pretty sure it comes to less than 1000 people.

Also Smith will not be the same as Smith67. Smithers would have been a better example. As per the article it's only after 8 characters that the passwords truncate

5f4dcc3b5aa765d61d8327deb882cf99 (3, Funny)

metalmaster (1005171) | more than 3 years ago | (#35039812)

I think its safe to say my password is safe

Re:5f4dcc3b5aa765d61d8327deb882cf99 (0)

Anonymous Coward | more than 3 years ago | (#35040246)

Geez, I'm looking right at it, and I don't wanna mess with that password. Not even to copy/paste!

Re:5f4dcc3b5aa765d61d8327deb882cf99 (1)

sltd (1182933) | more than 3 years ago | (#35040254)

Not anymore!

Re:5f4dcc3b5aa765d61d8327deb882cf99 (1)

Spykk (823586) | more than 3 years ago | (#35040350)

Don't you know that md5 isn't safe? You should use sha256 instead: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Re:5f4dcc3b5aa765d61d8327deb882cf99 (1)

metalmaster (1005171) | more than 3 years ago | (#35040474)

aww.....i guess you didnt see ****?

Re:5f4dcc3b5aa765d61d8327deb882cf99 (1)

Blig (1167531) | more than 3 years ago | (#35040660)

Don't you know that md5 isn't safe? You should use sha256 instead:

Bah, amateurs! ROT13 is the most secure! (This is a joke of course. I'm stating this because I just know someone is going to take this post seriously, lol.)

Re:5f4dcc3b5aa765d61d8327deb882cf99 (1)

fnj (64210) | more than 3 years ago | (#35040712)

Sha256 is sissy. They have sha512 now.

it is like this for other sites too... (1)

Anonymous Coward | more than 3 years ago | (#35039822)

same with wellsfargo.com and its been like that for ages.

Re:it is like this for other sites too... (1)

iammani (1392285) | more than 3 years ago | (#35040778)

Wow, I cannot believe that a bank would allow such lax passwords. I have a password with almost equal number of small caps and capital caps characters (typing it involves a lot of 'shift' key press and release). I guess I must have been a moron for creating a complicated password and remembering it!

hat tip? (2)

RichiH (749257) | more than 3 years ago | (#35039826)

Am I too old for knowing immediately what the root cause for this was?

Shouldn't this even be considered basic knowledge for any advanced UNIX user?

That was refreshing. Now get off my lawn.

Re:hat tip? (1)

geekoid (135745) | more than 3 years ago | (#35039918)

It should be considered basic knowledge for any UNIX programmer.

It's pretty inexcusable.

Re:hat tip? (2)

roc97007 (608802) | more than 3 years ago | (#35039950)

> Am I too old for knowing immediately what the root cause for this was?

Yes.

(Me too.)

Re:hat tip? (0)

Anonymous Coward | more than 3 years ago | (#35040050)

I'd like to know why it matters if you type passwordpassword.
wouldn't password followed by anything work if they only inspect the first 8 bytes?
or are they doing something stranger?

Re:hat tip? (1)

nickspoon (1070240) | more than 3 years ago | (#35040630)

Shouldn't this even be considered basic knowledge for any advanced UNIX user?

Let's assume for the moment that I'm not - what is the flaw involved?

Re:hat tip? (0)

Anonymous Coward | more than 3 years ago | (#35040782)

The old unix crypt() function truncates your plaintext to only 8 chars before it operates over it. Cryptographically what it actually needs are 8 7 bit characters to make a 56 bit DES key.

Point being if you crypt:

abcdefghAAAAAAAAAA
and
abcdefghZZZZZZZZZZZ

You get exactly the same result since they both get truncated to abcdefgh prior to being fed into the encryption function.

It's much worse than that (5, Interesting)

SpammersAreScum (697628) | more than 3 years ago | (#35039914)

Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".

Re:It's much worse than that (1)

roc97007 (608802) | more than 3 years ago | (#35039940)

I think that was covered by the admission that Unix "crypt" was used. Unless it's just us old fogeys that remember that Unix passwords had an 8 character limit.

Man, I feel old. I'm going to go home and yell at the kids playing in my yard.

Thanks. (1)

pavon (30274) | more than 3 years ago | (#35040096)

Thanks for pointing that out. Based on the summary I would have ignored this issue as my password is strong enough even without case sensitivity.

Re:Thanks. (2)

Nimloth (704789) | more than 3 years ago | (#35040236)

Is your password hunter2_a1nO=$i! as well?

Re:Thanks. (0)

Anonymous Coward | more than 3 years ago | (#35041084)

damn it, how do YOU know my password?

Re:It's much worse than that (0)

Anonymous Coward | more than 3 years ago | (#35040360)

reddit sucks and now slashdot sucks even more... what to do?

the people on reddit are even more assholish than here

anyone want my 2-digit slashdot account?

Wow big story here... (0)

Anonymous Coward | more than 3 years ago | (#35040136)

Wait, no, it's not. Plenty of case insensitive libraries out there. I know Blizzard uses one for World of Warcraft. Unless a prompt explicitly tells me that a password or even a UID IS case sensitive, I assume that it is not. Not that I would rely on my password somehow being case sensitive as protection, that's about as wise as relying on a copy/paste routine to protect you. Many fools rely on that kind of tactic, and that just makes me laugh.

You want to protect your passwords? Remember, YOU are the weak point. You are the one who does things like give them out to friends, to let them log into your account. You are the one who runs programs on your computer.

Remember it.

Re:Wow big story here... (1)

MichaelSmith (789609) | more than 3 years ago | (#35040394)

Yeah a couple of years ago an accountant where I work was helping me deal with a purchasing system we have. He asked me for my password so he could log on to my account. Apparently thats how things are done in his working environment. In my team we all have root access so we can su to any account, but nobody shares their password. su only gets you in the account once. root could be changed tomorrow. The same password could be used all over the place.

Uh oh. (2)

Leebert (1694) | more than 3 years ago | (#35040206)

My amazon.com password is a dictionary word I set in, like, 1997?

Maybe it's time to change it.

Only part of the mess (0)

Anonymous Coward | more than 3 years ago | (#35040286)

So I just tried this to see if it worked and sure enough, it lets me log in. However, if I log in using "PASSWORD" I can see one set of orders. If I use "password" I get a complete different set! No wonder I have not been able to track packages from some computers, I must have miss typed my password!

Schwab, too (0)

Anonymous Coward | more than 3 years ago | (#35040520)

Charles Schwab brokerage (think, lots of money) has the same behavior. Case-insensitive and only uses the first 8 characters. May be "had" the same behavior since I haven't checked for a while.

Amazon's silence (0)

Anonymous Coward | more than 3 years ago | (#35040524)

Amazon did not respond to a request for comment.

Try getting them to respond to a request for COMMENT, commentcomment, or comment1234.

I guess I better change my password (0)

mysidia (191772) | more than 3 years ago | (#35040602)

I thought PaSswOrD was reasonably secure. How was I supposed to know it was case-insensitive?

passwordpassword (3, Funny)

Arancaytar (966377) | more than 3 years ago | (#35040824)

I hear the site also accepts minor misspellings, anagrams, close synonyms and Cockney rhyming slang.

It gets weirder... (0)

Anonymous Coward | more than 3 years ago | (#35040846)

Amazon also allows multiple accounts for the same email address [wordpress.com] , as long as the passwords are unique.

Password hashes are one-way (3)

yuhong (1378501) | more than 3 years ago | (#35041014)

A password hash is a one-way function, which means that it is impossible to re-encode passwords stored using one hash using another hash. This means that the old password hash function must still be supported until all passwords are changed.

Re:Password hashes are one-way (1)

Confusador (1783468) | more than 3 years ago | (#35041400)

As someone else points out, though, it is trivial to create a new hash for a password on the next successful login. To the extent that this should be an issue at all, it should only be affecting people who haven't logged in in the past several years, not all those who haven't changed their password.

Re:Password hashes are one-way (0)

Anonymous Coward | more than 3 years ago | (#35041450)

Nah. If it passes, you use the user-supplied string to generate and store a new hash on the next login. Or if you don't feel like doing that, just require a password change on next successful login.

Both are things they could/should have done a long, long time ago.

Entropy loss: 5bit (1)

drolli (522659) | more than 3 years ago | (#35041366)

I dont care if you can append sth to a password. Mathematically accepting some additional input to a password is not bad - you can also type additional text.

The only loss in entropy is that you dont have to guess where the user cut of something from known words. The worst case scenario would be if you make a dictionary attack, and the password is in the dictionary in a longer form you dont have to send the right length. assuming that the chosen pw must be longer than 8 characters and probably is shorter than 32characters, this saves you *at most* 5 bit of entropy, probably less for most real world cases. given that a good pw should have more than 40-48bits of entropy, loosing 5 bits wont hurt much.

Unix crypt (1)

Bert64 (520050) | more than 3 years ago | (#35041682)

The old unix crypt function (using DES encryption) has always been case sensitive, although it is limited to 8 characters... If the password is case insensitive that sounds more like LANMAN, an old password hashing function used by older versions of windows (still enabled by default in 2003 and earlier).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?