Forgot your password?
typodupeerror
Security Encryption Unix

Amazon Flaw Lets Password Variants Through 159

Posted by timothy
from the liberal-in-what-you-accept-but-not-here dept.
Wired reports that it has confirmed a password flaw affecting some Amazon accounts. If your password hasn't been changed in a while ("the past several years"), it may be less secure than you'd like. As Wired explains, for these older accounts, "[...] if your password is “Password,” Amazon.com will also let you log in with 'PASSWORD,' 'password,' 'passwordpassword,' and 'password1234.'" The article suggests that Amazon's use of the Unix crypt() tool may be at fault. (Hat tip to E. Maureen Foley for pointing this out.)
This discussion has been archived. No new comments can be posted.

Amazon Flaw Lets Password Variants Through

Comments Filter:
  • by geekoid (135745) <dadinportlandNO@SPAMyahoo.com> on Friday January 28, 2011 @08:23PM (#35039688) Homepage Journal

    It's the cheap ass developers fault.

    • by mysidia (191772)

      It's the cheap ass developers fault.

      And it continues to be their fault. They can fix this easily.

      Whenever a user logs in... check if their password is stored using crypt(). If it IS, then take the password they just used to login, and compute a stronger blowfish/salted md5 hash. Replace the crypted password with the strong hash.

      No reason they couldn't have done that when they first introduced stronger password hashing.

      • Re: (Score:3, Interesting)

        by Bill Dog (726542)

        If it IS, then take the password they just used to login,

        But if the problem with the system is that mixed-case and extra characters are allowed in the case of older passwords, what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down? Or accidently hit another character-generating key while fumbling for the enter key?

        They'll be logged in. But not next time, because their password is not what they think it is. And even if they'd been entering it w

        • Re: (Score:3, Informative)

          by mysidia (191772)

          what about users with 8-character passwords who log in right after your proposed change with caps lock accidently down

          Unix crypt() is NOT case-insensitive. If the Amazon passwords are case-insensitive due to crypt, then it is due to them converting the field to all lowercase or all uppercase before passing the input to crypt(). They could continue to do so; although, case-insensitive was inadvisable in the first place, they would have painted them into a corner -- however, they can still prompt the us

          • The stored password hash is of a lower case input string. The original password could have any permutation of upper/lower letters but all of these would map to the same hash. The password system must request the password again, because the number of input strings that will hash properly is > 1. Whose fault it is has nothing to do with his point. You can't just take the password that resulted in successful login and rehash it, because the mapping is not injective.
    • by thePig (964303)

      No - this is a basic testcase for any login scenario - the person who is at fault is the tester

      • by Z00L00K (682162)

        And the person that did write the specification of how it should be done.

        Assuming that there are specifications.

  • Uhm... (Score:5, Funny)

    by Anonymous Coward on Friday January 28, 2011 @08:24PM (#35039696)

    Is it supposed to show all of my passwords in the article? Or do you just see stars?

    • by geekoid (135745)

      we just see star. The same thing with credit card numbers and SSN. go on, give it a try.

      Oh, important tip: it will only put stars there if the number is preceded with the security number on the back.

      • Re: (Score:2, Informative)

        by bhcompy (1877290)
        /oblig

        [Cthon98] hey, if you type in your pw, it will show as stars
        [Cthon98] ********* see!
        [AzureDiamond] hunter2
        [AzureDiamond] doesnt look like stars to me
        [Cthon98] [AzureDiamond] *******
        [Cthon98] thats what I see
        [AzureDiamond] oh, really?
        [Cthon98] Absolutely
        [AzureDiamond] you can go hunter2 my hunter2-ing hunter2
        [AzureDiamond] haha, does that look funny to you?
        [Cthon98] lol, yes. See, when YOU type hunter2, it shows to us as *******
        [AzureDiamond] thats neat, I didnt know IRC did that
        [Cthon98
    • Re:Uhm... (Score:4, Funny)

      by SpooForBrains (771537) on Friday January 28, 2011 @09:03PM (#35039964)

      I see Hunter2

    • by Quirkz (1206400)
      Those aren't stars. Read up on your Vonnegut. Particularly 'Breakfast of Champions.'
  • by artor3 (1344997) on Friday January 28, 2011 @08:25PM (#35039704)

    Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

    • by bbqsrc (1441981) on Friday January 28, 2011 @08:32PM (#35039760) Homepage
      Now they should consider implementing a 'set new password on next login' rule to rectify this before someone gets screwed over and is enraged.
      • by KiloByte (825081) on Friday January 28, 2011 @09:03PM (#35039960)

        Or at the very least, update to a semi-modern hash on the next login, when the unhashed version will be known. Since they, like most web pages, don't use a challenge-response scheme but transmit the password as-is (at least over SSL, unlike Facebook's default), this is a trivial thing to do.

        Forcing a password change would bring some security, but they're too afraid to spook mrs May type users for that.

      • Or should we all buy a bunch of stuff and swear somebody else did it?
      • by mlts (1038732) *

        This. There are still a lot of UNIX boxes out which are still using crypt(3), so they are using 8 characters max. There are only two fixes that can be done on this:

        1: Force a password change to 8+ characters.
        2: Ask a challenge question, such as an address stored on the account, or credit card used.

    • by tool462 (677306)

      Ditto. But on the plus side, it did give me a reason to change my password to something much stronger than it used to be.

      • by Blig (1167531)

        Ditto. But on the plus side, it did give me a reason to change my password to something much stronger than it used to be.

        Agreed. Did so here too.

    • by roc97007 (608802)

      Be damned. Same here. Exactly.

    • This is the solution Amazon will give you if you contact them about it. (The reasons this situation arose are, of course, historical. It's the sort of thing that can happen if you want to improve the way you store passwords, but don't want to prevent existing customers from logging in.)

      This issue only affects people who have not changed their account password for something like five years.

      • by LO0G (606364)

        When Microsoft did essentially the same thing [wikipedia.org] it was touted (and is still being touted) as being an example of why Microsoft doesn't get security.... Somehow it was inexcusable to make this mistake in 1987 (when the LM hash was invented) but it's "ok" to do it in 2011?

        Just sayin'

        • I didn't say it's ok to do ;) Besides, they fixed it. If you reset your password, the issue goes away. I don't really see what more you want.

          • by LO0G (606364)

            I'm not commenting on Amazon's actions - they need to do more (proactively warning customers with really old passwords would be a good start) but it's good that the fix is easy.

            I was making a comment about the double standard implicit in the thread - there are a lot of "it's ok that Amazon screwed up here because it's easy to make such a mistake" attitude. On the other hand, 20+ years ago MSFT made essentially the same mistake (and fixed it 15+ years ago) and it's still being used as an example of why "Mic

        • by Bert64 (520050)

          MS still don't get it, google for "pass the hash"... It doesn't matter how strong your password or encryption is if you can authenticate using the hash.

          • by LO0G (606364)

            Pass the hash - you mean the attack technique that Microsoft fixed in Windows 2000 with the addition of Kerberos? You're right that Microsoft didn't stop using the weak NTLM hashes until Windows Vista, but it's not like Microsoft hasn't offered a solution for over 10 years.

            If you want to pick on Microsoft for stupid security decisions, instead of pass the hash, why not pick on credential reflection [technet.com] attacks. They're a much better example of Microsoft being clueless (or more accurately, people who depende

            • by Bert64 (520050)

              They still use NTLM, that is their strongest hash type... Lanman is the even weaker one that was disabled by default in vista.

              Kerberos is only used in an active directory setup, and only seems to be used when a user logs in on a workstation to initially authenticate to the domain, it still seems to use ntlm for virtually everything else and i've never seen it configured differently.

              • by LO0G (606364)

                Pass the hash is only relevant in single sign-on environments (because the hash is password equivilant). For Microsoft that means domain joined, and if you're domain joined you use Kerberos (unless you have legacy NT4 machines on your network, in which case you have bigger issues than pass-the-hash attacks).

                In non domain environments, each machine has its own account database. Since the pass-the-hash attacks all appear to require that you have full access to the account database, all you're doing is gettin

                • by Bert64 (520050)

                  Then how do you configure systems which are part of a domain to only support kerberos? I've _NEVER_ seen a setup where hash passing didn't work..

                  Also in 99% of cases, if you take the local hash from one workstation it works on all the others (built from the same image) anyway, tho this is admittedly due to poor configuration.

                  There really is no excuse for a hash to be usable as a password equivalent under any circumstances, this completely defeats the point of storing it hashed in the first place.

    • by Skater (41976)
      Here's what makes me wonder. I've been following this thread on thedailywtf.com [thedailywtf.com] about password stupidities, and someone in that list mentioned this very issue on 1/8. Now I see it on reddit and Slashdot...
    • by JamesP (688957)

      Yeah, I'm not sure how I can try that if my password is 12345678 I mean, I can't make it go caps...

    • by alexo (9335)

      Just went to Amazon, typed in my passwords using all caps, and sure enough it logged me right in. I "changed" my password to the same thing it already was, and now the issue is fixed.

      While trying to do the same, I noticed that amazon.ca did not have this problem.

  • My password was generated using the built-in OS X password tool, so I don't have my Amazon password memorized. I looked it up in the Keychain, then changed all the lower-case letters to upper-case - Amazon let me log in.

    Guess I'd better change my password!

  • by Anonymous Coward

    Luckily I am not affected. My password is 'p31men$!' and so even if there are capital variants, the use of numbers and symbols makes it very hard to crack. I am completely safe.

  • they obviously didn't care enough to: 1. Send out an email to all affected people AND/OR 2. Disable those people's passwords after a certain period of time, forcing them to use the forgot password link. I dunno... I personally value securitty over forcing a bunch of people to reset their passwords. SO WHAT if a few people complain? It's better that than people losing money over this. *sigh*
    • by geekoid (135745)

      I have an account and I don't care. Seriously the threat here is only in the most technical case. IN practicality it's not really a big deal.

      I don't think they should care about case anyways.

    • by TheLink (130905)
      It's not a big deal.

      The practice of stupid security questions is far worse, and seems to be about as common if not more.

      Those reduce the security for "normal" users more than passwords being case insensitive and truncated to 8 characters.
  • by Junta (36770) on Friday January 28, 2011 @08:34PM (#35039774)

    My password of hunter2 was not compromised.

  • by Man On Pink Corner (1089867) on Friday January 28, 2011 @08:36PM (#35039784)

    Sure, it would make a dictionary attack easier, but it's not as if you can launch a dictionary attack against amazon.com without being shut down after the first n wrong guesses.

    It strikes me as a clever way to save the inevitable calls/emails to tech support ("Uh, I haven't logged in for like, 3 years, and now I can't remember my password.")

    What's the threat, exactly?

    • by Timmmm (636430)

      I discovered this years ago. I assumed it was deliberate to make logging in on phones easier...

      And I agree, I can't really see a situation where this matters.

    • by Facegarden (967477) on Friday January 28, 2011 @09:36PM (#35040152)

      Any time a system will accept multiple entries for one password, the number of guesses an intruder has to make goes down.

      This is generally considered bad.

      You should never allow bad logins just to make it easier for people to log in when they can't recall their password, that's the wrong way to do it. You should provide an easy way for them to reset their password, not reduce your security across the board (which means password reset mechanisms must be carefully designed as well).

      But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

      Simply put, you want passwords to be as secure as you can, limited by your users ability to remember their password. And don't cater to the users who haven't logged in in 3 years, cater to the users who log in every day - keep things secure for them.

      Just imagine how many people might use their last name as a password, or their last name plus their birthday. Then if you know a user John Smith was born in 1967, you can guess "smith67", and if he uses: smith, Smith, SMITH, smith67, Smith67, or SMITH67, your single guess of smith67 will work for ALL SIX cases. Increasing an attacker's chances SIX fold is terrible.

      And for what its worth, I'm blown away that this isn't perfectly clear to every single Slashdot reader.
      -Taylor

      • by MichaelSmith (789609) on Friday January 28, 2011 @10:12PM (#35040342) Homepage Journal

        Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.

        • What do you mean, is it common for people to know your name?

          - Rumplestiltskin

        • by rvw (755107)

          Just this morning my wife said she had gone to the bank to open an account for our son and they told her this bank has accounts for five people with the same name. We thought his name was less common than that. I asked her why she thought that was a big deal and she said "you know, when you use your name as your password" and I said what?.

          Well at least your wife is not known under five names.

      • But this is bad for the same reason that simple passwords is bad. If you increase an attacker's chances of getting in by 0.01%, but you have 10,000,000 users, you've now put 1000 more people at risk.

        Statistics does not work that way. As long as we're making up numbers, I'll guess that 0.0001% of those 1000 users will ever have a "guess the password" attack launched against their account.

        This is an easy trap to fall into, admittedly. It usually comes up in pharmaceutical trials, where if you actually r

      • by blibbo (928752)

        I get your point, but you're exaggerating.

        Let's say the attacker could access 100% of accounts, If he can now access 100.01% of accounts, you've put 1000 more accounts at risk. Except those accounts don't exist. That's pretty preposterous, so try the math with 50% of accounts. Pretty sure it comes to less than 1000 people.

        Also Smith will not be the same as Smith67. Smithers would have been a better example. As per the article it's only after 8 characters that the passwords truncate

  • by metalmaster (1005171) on Friday January 28, 2011 @08:41PM (#35039812)
    I think its safe to say my password is safe
    • by sltd (1182933)
      Not anymore!
    • by Spykk (823586)
      Don't you know that md5 isn't safe? You should use sha256 instead: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
      • aww.....i guess you didnt see ****?
      • by Blig (1167531)

        Don't you know that md5 isn't safe? You should use sha256 instead:

        Bah, amateurs! ROT13 is the most secure! (This is a joke of course. I'm stating this because I just know someone is going to take this post seriously, lol.)

      • by fnj (64210)

        Sha256 is sissy. They have sha512 now.

  • by Anonymous Coward

    same with wellsfargo.com and its been like that for ages.

    • by iammani (1392285)

      Wow, I cannot believe that a bank would allow such lax passwords. I have a password with almost equal number of small caps and capital caps characters (typing it involves a lot of 'shift' key press and release). I guess I must have been a moron for creating a complicated password and remembering it!

  • by RichiH (749257) on Friday January 28, 2011 @08:42PM (#35039826) Homepage

    Am I too old for knowing immediately what the root cause for this was?

    Shouldn't this even be considered basic knowledge for any advanced UNIX user?

    That was refreshing. Now get off my lawn.

    • by geekoid (135745)

      It should be considered basic knowledge for any UNIX programmer.

      It's pretty inexcusable.

    • by roc97007 (608802)

      > Am I too old for knowing immediately what the root cause for this was?

      Yes.

      (Me too.)

    • Shouldn't this even be considered basic knowledge for any advanced UNIX user?

      Let's assume for the moment that I'm not - what is the flaw involved?

    • No, I'm pretty sure it was going through everyone's head. Something like, "What, are they using crypt()?!" followed by, "wait.. they actually are using crypt()? wtf?"

  • by SpammersAreScum (697628) on Friday January 28, 2011 @08:55PM (#35039914)
    Wired seems to have missed the biggest problem, which was pointed out on reddit: the 8-character limit works both ways! If you set your password to be, say, "Password_8463!", as far as Amazon is concerned you just set it to the rather less secure "Password".
    • by roc97007 (608802)

      I think that was covered by the admission that Unix "crypt" was used. Unless it's just us old fogeys that remember that Unix passwords had an 8 character limit.

      Man, I feel old. I'm going to go home and yell at the kids playing in my yard.

    • by pavon (30274)

      Thanks for pointing that out. Based on the summary I would have ignored this issue as my password is strong enough even without case sensitivity.

    • by mhaymo (1848710)
      I'm confused, I just tried logging in to Amazon using only the first 8 characters of my password. Didn't work. What am I missing?
  • by Leebert (1694) *

    My amazon.com password is a dictionary word I set in, like, 1997?

    Maybe it's time to change it.

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Saturday January 29, 2011 @12:09AM (#35040824) Homepage

    I hear the site also accepts minor misspellings, anagrams, close synonyms and Cockney rhyming slang.

  • A password hash is a one-way function, which means that it is impossible to re-encode passwords stored using one hash using another hash. This means that the old password hash function must still be supported until all passwords are changed.

    • As someone else points out, though, it is trivial to create a new hash for a password on the next successful login. To the extent that this should be an issue at all, it should only be affecting people who haven't logged in in the past several years, not all those who haven't changed their password.

    • Amazon receives a new copy of my password every time I log in. It's over SSL but unhashed.

  • I dont care if you can append sth to a password. Mathematically accepting some additional input to a password is not bad - you can also type additional text.

    The only loss in entropy is that you dont have to guess where the user cut of something from known words. The worst case scenario would be if you make a dictionary attack, and the password is in the dictionary in a longer form you dont have to send the right length. assuming that the chosen pw must be longer than 8 characters and probably is shorter th

  • The old unix crypt function (using DES encryption) has always been case sensitive, although it is limited to 8 characters... If the password is case insensitive that sounds more like LANMAN, an old password hashing function used by older versions of windows (still enabled by default in 2003 and earlier).

  • When you go to the password reset page on Amazon.co.uk, it doesn't appear to be a secure page. Maybe the "Save Changes" button submits via an https link, but I don't have time to go digging through the source code - that kinda defeats the whole point of the lock icon, etc, surely?

    In any case, the captcha image has been "loading" for about 5 minutes now - guess everyone's trying to change their passwords?
  • I emailed them and got a useless cust.care reply that they will look into it. But nothing's been done, so "Abc1234" is the same as "abc1234" or "ABC1234." I use a 9-character password, not sure if these idiots use a system which only reads 6 chars!?
  • I just recalled that Charles Schwab (a US stockbroker company) has an 8-character password limit.

    Guess what? They're also affected by the same issue.

    Crap.

The generation of random numbers is too important to be left to chance.

Working...