Amazon Flaw Lets Password Variants Through 159
Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)
It's much worse than that (Score:5, Interesting)
Re:The UNIX crypt tool is not at fault (Score:3, Interesting)
But if the problem with the system is that mixed-case and extra characters are allowed in the case of older passwords, what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down? Or accidently hit another character-generating key while fumbling for the enter key?
They'll be logged in. But not next time, because their password is not what they think it is. And even if they'd been entering it wrong for years, if they'd written down somewhere the correct one, they'd find that that also does not work. Much bewilderment and negative feelings about Amazon would ensue.