Amazon Flaw Lets Password Variants Through 159
Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)
The UNIX crypt tool is not at fault (Score:4, Insightful)
It's the cheap ass developers fault.
Well I'll be damned.... (Score:5, Insightful)
Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.
Re:Well I'll be damned.... (Score:4, Insightful)
Why exactly is this a problem? (Score:5, Insightful)
Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.
It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")
What's the threat, exactly?
Re:Well I'll be damned.... (Score:4, Insightful)
Or at the very least, update to a semi-modern hash on the next login, when the unhashed version will be known. Since they, like most web pages, don't use a challenge-response scheme but transmit the password as-is (at least over SSL, unlike Facebook's default), this is a trivial thing to do.
Forcing a password change would bring some security, but they're too afraid to spook mrs May type users for that.