X

Older Amazon passwords have an interesting flaw

Users of the link-sharing site Reddit have stumbled across an interesting bug with Amazon's website that enables you to write nonsense after your password and still log in.

Ian Morris

Here's a fun mid-afternoon trick to try. Go to Amazon.co.uk -- or presumably .com too -- put in your username and password. But before you press "login", add some extra characters to the end of the password.

For some accounts, no matter what you put after your password, the Amazon accounts system will still allow you in.

The flaw was spotted by one eagle-eyed user on Reddit, known as 'ridethewave'. He has been trying to get an answer from the online megastore, but as yet has been unable to get anyone over there especially hot under the collar about the problem.

Other posters theorise that the problem exists because the Amazon authentication servers only 'hash' the first eight characters of a password. So, in effect, if your password was 123456789 then Amazon stored this as 12345678. The missing last digit never matters, because the login system just ignores it.

And that's a problem, because it means long passwords are significantly less secure than the users perhaps thought. It's certainly true to say this flaw points to a lack of sophistication in one of Amazon's systems.

Newer accounts, or people who have recently changed their password do not seem to be affected, however. If you're worried about this, you can simply change your password and the problem goes away, presumably because the newer password system fixes the flaw.

Let us know how you get on!