This web site uses cookies to improve your experience. By viewing our content, you are accepting the use of cookies. To find out more and change your cookie settings, please view our cookie policy. Close

CNET is available in the following editions:

Older Amazon passwords have an interesting flaw

By Ian Morris on 27 January 2011, 3:46pm

Here's a fun mid-afternoon trick to try. Go to Amazon.co.uk -- or presumably .com too -- put in your username and password. But before you press "login", add some extra characters to the end of the password.

For some accounts, no matter what you put after your password, the Amazon accounts system will still allow you in.

The flaw was spotted by one eagle-eyed user on Reddit, known as 'ridethewave'. He has been trying to get an answer from the online megastore, but as yet has been unable to get anyone over there especially hot under the collar about the problem.

Other posters theorise that the problem exists because the Amazon authentication servers only 'hash' the first eight characters of a password. So, in effect, if your password was 123456789 then Amazon stored this as 12345678. The missing last digit never matters, because the login system just ignores it.

And that's a problem, because it means long passwords are significantly less secure than the users perhaps thought. It's certainly true to say this flaw points to a lack of sophistication in one of Amazon's systems.

Newer accounts, or people who have recently changed their password do not seem to be affected, however. If you're worried about this, you can simply change your password and the problem goes away, presumably because the newer password system fixes the flaw.

Let us know how you get on! 

Comments 6

Add your comment

Anonymous's avatar

Anonymous 27 January, 2011 15:53

I added some heavy keyboard bashes after inputting my password, yet it still logged me in no problem. Thanks Amazon!

Anonymous's avatar

Anonymous 27 January, 2011 15:57

I guess it only works if your original password was 8 digits or more. As mine is less than 8 adding digits got it to fail. I've had my password since 2004

Ian Morris's avatar

Ian Morris 27 January, 2011 16:15

Anon #2, yeah that makes sense because the password hash would take into account if your password was less than 8 characters.

Anonymous's avatar

Anonymous 27 January, 2011 16:20

I typed in the first 8 letters/digits of my password and it worked - my password is longer than 8 digits/letters.

Also tried putting random garbage after the 8th character and it still worked ... great work

Grier78's avatar

Grier78 27 January, 2011 16:39

Tried it myself as my password was exactly 8 chars long and added another 20 or so and it let me in no probs.

martbean2's avatar

martbean2 28 January, 2011 14:14

Yep, worked for me and my 8 character password from 2000.

Post your comment

Make your comment count. Log in or register to skip the 'Are you human?' question and get an avatar

Your email will not be displayed with your comment

Copy the letters and numbers to prove that you're human. You won't have to do this if you log in or register

Your comment must comply with the Terms of Use

Follow CNET UK

Android AppAndroid App News and reviews

RSS FeedsRSS Feeds The latest content

iPhone AppiPhone App CNET on the go

NewslettersNewsletters Highlights by email

Home

Follow CNET UK

Crave

Reviews

Videos

Download

Prices

Partner services

Membership

About Us

About CBS Interactive

Copyright © 2013 CBS Interactive Limited. All rights reserved.