Change Your Old Amazon Password Now To Avoid This Cracking Risk

Some old Amazon account appear to have a flaw in their password protection scheme that makes them more vulnerable to a brute force cracking attempt. For affected accounts, if you haven’t changed your password in several years, and it’s over 8 characters long, it looks like all people have to do is enter the first 8 characters correctly and they’re in. Even if after the 8 characters they just type gobbledygook.

So if your password was “PASSWORDSCHOOL” it will accept “PASSWORDdf234243″ or “PASSWORDsputnik” etc.

Several Consumerist readers verified that they were able to replicate the error on their accounts. Commenter Rodan wrote on this post, “Thanks. I had an old account and password. It was affected as described, I entered the first 8 characters then filled it with “1”s for the remaining characters. I was able to log into my account.”

Other commenters with old passwords said they couldn’t reproduce the error, including one with a 7-year old password. It’s not clear what determines which accounts are vulnerable.

Reddit commenters also say that the passwords have been “flattened,” so correct upper and lower case is not required either.

Why does this matter? If someone was trying to break into your Amazon account through a method known as the “brute force attack“, where all possibilities are tried out in succession, i.e. 0001, 0002, 0003, etc, it would take them a lot less time to do it, potentially weeks less. That’s bad.

We’ve reached out to Amazon via voicemail, email, and Twitter for comment and an ETA on a fix.

THE TAKEAWAY: To fix the issue, simply change your Amazon password. You should change your passwords on a regular basis anyway, so now is as good as time as any.

Amazon security flaw… wtf??? [Reddit] (Thanks to Alex, GitEmSteveDave, @conanlicious, @otterman!)

Comments

Edit Your Comment

  1. turkishmonky says:

    I checked, and it didn’t fail. I believe I changed it about a ear ago, but it’s better to stay on the paranoid side of things.

    • Liam Kinkaid says:

      About an ear ago, eh? Au, rally? :)

      • turkishmonky says:

        being a zombie gives you no respect. We have no sense of time except for our body parts that fall off, and people still manage to make fun of you for it. ;-)

        • Fafaflunkie Plays His World's Smallest Violin For You says:

          Didn’t you mean being a leper? I guess being a zombie sort of counts as well %]

          BRAINS… must… eat… BRAINS…

    • dorianh49 says:

      Is that why your avatar sketch has only one ear? Amazon is BRUTAL!

  2. Kate says:

    I create my own passwords at home

  3. pop top says:

    I just checked mine and the trick didn’t work, but better safe than sorry.

  4. calquist says:

    Just recently changed mine! Thanks Gawker!

    • notovny says:

      I, too wound up changing all my high-profile passwords after the Gawker attack, although my gawker password hadn’t been accidentally leaked, and wasn’t used anywhere else.

      I’d think that Amazon would be able to detect and stop brute force attempts, and salting and hashing the passwords in their database, though.

    • LatinoGeek says:

      +1

      I changed all of my password thanks to the Gawker Fiasco. I also created unique passwords for all (80+) of my online accounts. Using the longest, most complicated passwords that the sites will let me use.

  5. TooManyHobbies says:

    If they were using the STANDARD password system that’s been used by sensible programmers since the 80s, they wouldn’t have this problem. Passwords should never be stored, at all. You run the password through a hashing algorithm, then you store the hash. the original password can not be determined from this value.

    If you’re doing this, you can take an arbitrary number of bytes for password, they will still convert into whatever your hash length is, so there’s no real reason to limit the length of the password.

    Whenever I discover a system where they can tell me what my password is, I know not to trust them because either their programmers don’t know what they’re doing, or management overrides proper security procedure for the sake of convenience.

    All they should be able to do is to reset your password.

    • Mom says:

      Actually, older Unix systems have exactly this problem. Only the first 8 characters get hashed. Everything else is thrown out.

      • mikeyo says:

        exactly. if you are on a unix system you can compare “mkpasswd -Sxx 0123456789″ to “mkpasswd -Sxx 01234567890123456789″ and see that they generate the same hash.

    • Blueskylaw says:

      I love hash.

    • ldillon says:

      Wouldn’t the hashes differ because of salt, unless you’re talking about truly ancient systems?
      I seem to remember something about Windows Lan Manager passwords truncating passwords to the first 8 characters and not using salt also.

  6. Rodan says:

    Thanks. I had an old account and password. It was affected as described, I entered the first 8 characters then filled it with “1”s for the remaining characters. I was able to log into my account. After changing the password, this was no longer possible.

    However, I forgot to test if the forged password would work with the first 8 characters and a mismatched number of “1”s. If not, it would be pretty difficult to brute force guess, since you would have to know the exact length of the password.

    Good catch, I am sure Amazon will be getting a lot of attempts, no matter how futile, now that the news is out.

  7. slim150 says:

    “You should change your passwords on a regular basis anyway”

    I’ve always disagreed with this. At least from a work environment it costs lots of money and is not even effective. If someone has your password they will use it.. not sit on it. Unless they are a stalker.

    • Happy Tinfoil Cat says:

      Yeah! I have had a password for years that always worked. Why fix what ain’t broke? If you change the password to something new and untried sooner or later it’s gonna get hacked. ;^)

    • Mom says:

      It is true, that if the bad guys have your password that they will use it, and not sit on it. However, you will not necessarily know that they’re using it. It might be fairly obvious if someone is ordering stuff using your credit card, or using your gmail account to try to scam your friends, but it may not be that obvious, especially in a work environment. The longer they have a working password, the more they can do.

    • TheyCallMeMcGyver says:

      Agreed 100% A strong password, and one that is unique I might add, shouldn’t need to be changed.

    • balance776 says:

      agreed 100%.
      im a computer security guy, and there’s nothing i hate more then the false logic that constantly changing your password increases security.

  8. BeFrugalNotCheap says:

    I already figured Ben’s Amazon password: ILOVEPOPKEN. J/K!

  9. skylar.sutton says:

    Hy lk – nthr stry Cnsmrst stl frm Rddt.cm… WTF!

    • Blueskylaw says:

      Seppuku much? (disembowelment)

    • GuyGuidoEyesSteveDaveâ„¢ says:

      It wasn’t “stolen” from Reddit. Notice my name is one of the ones in the thanks section, you know, right next to the link to the reddit post? Well that is because I have a very old account that has never had the password changed, and I tried this on my account on multiple computers/browsers, and relayed that info to Ben. He didn’t just copy and paste. He did leg work/got confirmation by getting in touch with people who confirmed that it was happening to them and even called Amazon. Did he “steal” all that from reddit as well, which pretty much is just something that someone submitted w/no proof it happened.

  10. chucklebuck says:

    Tried this with my account and it didn’t work, thank goodness. My account is at least 5 years old now.

  11. kurtmac says:

    Had an older password than I’d like to admit, but the trick as described didn’t work. I did find that it wasn’t case sensitive like I thought it was (I was able to cap and lowercase letters as they shouldn’t have been and it let me in) so I changed it anyways.

  12. shinseiromeo says:

    Was this just reported…? It’s been happening for almost a year now.

  13. awesome anna says:

    It’d be nice if Amazon had and actual “log out” feature also. The only thing I’ve found is at the top where it says “not so and so?” and then you click that and it signs you out. How about a sign out feature?! I’ve never understood that about Amazon. Maybe that could make it more secure… ish?

    • chucklebuck says:

      But that is a sign out feature. Not as obvious, but it does sign you out. Sounds like what you really want is a sign out link that actually says “Sign Out” rather than “Not So and So? Click Here”

      • awesome anna says:

        Yes! LOL I want something that says “Log Out” Not… “not so and so?” Cause I am that so and so. So to click that I’m not, just to log out is dumb…

        • chucklebuck says:

          I agree with you – it’s completely counterintuitive (“But I *AM* chucklebuck! I just wanna leave!”). But after I figured it out, it kinda stuck with me.

        • Rectilinear Propagation says:

          I think they do it that way because they do want people to stay logged into their accounts. Kinda like how Facebook moved their sign out button into one of the menus.

    • Press1forDialTone says:

      There is an actual logout.
      Click on “My Account” and a logout selection appears on that screen, yucky but something.

  14. theblackdog says:

    My password was exactly 8 characters anyway, but it didn’t hurt to change it to another length.

  15. I wumbo. You wumbo. He- she- me... wumbo. Wumbo; Wumboing; We'll have thee wumbo; Wumborama; Wumbology; the study of Wumbo. says:

    You should change your passwords on a regular basis? What about having a good password to begin with?

  16. JohnJ says:

    Of course, in order to compromise your account, a hacker would also have to figure out what your Amazon.com e-mail address is. Using a “nonobvious” e-mail address helps.

    In addition, obvious e-mail addresses like [FirstName][Numbers] are SPAM magnets. SPAMers randon e-mail address generators always nail those. (I learned that the hard way.)

    • QuantumCat says:

      I’m typically amused when an email gets through my spam filter these days. It’s infrequent enough I like to see how they slipped the filter.

  17. dpeters11 says:

    After the Gawker incident, I switched over to LastPass and haven’t looked back. Even I don’t know my passwords anymore, and I’m very happy. Should have done it a long time ago.

  18. RevRagnarok says:

    gCNvfCuNM9TnkQjXnwg I barely knew thee… since May 2006. Thanks.

  19. Benanov says:

    Yay Amazon, looks like you re-implemented LM Hash…

  20. Benanov says:

    Seriously what is this Amazon, LM Hash? Salted SHA-1 at the bare minimum…

    • common_sense84 says:

      These are obviously older passwords when they uses the older standards.

      They upgraded passively leaving the existing passwords intact. They cannot convert your old password to a newer hash. You have to recreate a password to get the newer hash.

      But the reason why this is moot is because as long as they limit failed login attempts, there is nothing wrong with an 8 character password. This is why 4 digit pin numbers are secure, because if you fail like 3-4 times entering your pin at an atm, it eats your card and locks out atm access.

      8 characters is overkill if you prevent brute force attacks.

  21. theSuperman says:

    I have had the same amazon.com password for years, and the “trick” does not seem to work for me.

  22. jim says:

    so should I change mine to something other than “jim” if it is

  23. tinmanx says:

    If they can get in to my account, good for them, because I can’t even remember my password.

  24. common_sense84 says:

    “Why does this matter? If someone was trying to break into your Amazon account through a method known as the “brute force attack”, where all possibilities are tried out in succession, i.e. 0001, 0002, 0003, etc, it would take them a lot less time to do it, potentially weeks less. That’s bad.”

    Except amazon should not allow unlimited password attempts. As long as they limit incorrect login attempts, this is not a security hole and there is no real risk. Which is why amazon would have no need to alert users.

    THIS IS NOT A SECURITY RISK AS LONG AS THEY RESTRICT THE NUMBER OF FAILED LOGIN ATTEMPTS!

    You are panicking people over your own ignorance. Being able to try 10 times on an 8 character password will get you no closer than being able to try 10 times on a 20 character password that is case sensitive.

    • ldillon says:

      The problem really only exists if someone can get all of the password hashes and brute force them (or use a rainbow table or whatever). The problem is that hashed passwords do occasionally get leaked on the Internet. Multiply that by the number of people that use the same password on many sites and you have a problem.

  25. Draw2much says:

    Thanks for letting me know! Turns out my password was affected. I changed my password using LastPast so at least I know it’s secure. :)

  26. KaralynK says:

    So … I guess it’s good that I had to change it after the Gawker hack anyway??

  27. Hi_Hello says:

    I remember reading something that with the hardware available, password will become useless.

    Dont account get locked after 3 tries. Wouldnt it take a long time if you can only try 3 passwords a day ? How long will it take to crack the password?

    Since most account is tied to an email, Wont it be easier for hacker to crack email password which might lead them to more than just one shopping account?

    I dont know how brute force work now… But back in the day, linux system wasnt secured, you can get the password file and just run the brute force on the file. Before that, password files show you people password lenght. Before than, it showed the password….

  28. MikeM_inMD says:

    I don’t even remember if I have an Amazon account.

  29. Ragman says:

    I tested it out with my password. It was as described, only the first 8 characters were checked, AND it was not case sensitive. I went to the change password page, and just re-entered my old password. Tested it again, and it then required the full password, case sensitive.

  30. goober says:

    I dare someone to use Amazon’s cloud computing to crack the accounts, hahaha

  31. gaya2081 says:

    I reported this issue to Amazon, I believe back in 2006. I can’t find the emails I sent back and forth with them, but they assured me that it would be fixed……

  32. gaya2081 says:

    I reported this issue several years ago to amazon…I love how they jumped on that.

  33. HogwartsProfessor says:

    I tried it twice and I couldn’t do it. It wouldn’t let me log in.

  34. Torchwood says:

    Just for safety, my passwords were updated to something a little longer and more random.

    KeePass + Dropbox + FreeFileSync are my friends.

  35. MauriceCallidice says:

    My Amazon account is at least 13 years old (oldest order shown on my account is from 1998), and a I have a longer than 8 character password. I tried the first 8 characters and replaced the others with 1s, but couldn’t log in.