http://www.engadget.com/2011/01/30/psa-change-your-old-amazon-com-password-for-better-security

Quote :

"Amazon's allegedly got an security flaw where hackers can find your password much easier than they would otherwise, and there's already a fix in place. But get this -- you'll probably need to change your password for the fix to take effect, if you haven't already done so in the last couple of years. According to Reddit users, the Amazon.com login system will actually accept any phrase so long as it begins with your password, such as "password123" when the magic word is simply "password" by itself. That apparently makes it that much easier for a computer to guess your password via brute force methods, no matter how counter-intuitive that seems, so if you simply change it immediately -- and to something other than "password," please -- you'll have much sounder dreams."

bolded part:

1/31/2011 5:43:37 PM

Sounds like they might have a real mess on their hands. Good thing my password is NEW ENGLAND CLAM CHOWDER.

1/31/2011 5:48:12 PM

white or red?

1/31/2011 5:55:15 PM

that sounds like an insanely bad security glitch

1/31/2011 5:58:27 PM

imma change it

then change it back

1/31/2011 7:58:38 PM

if your password was anything but awful to begin with, this still isn't a big deal...even though it's an incredibly stupid security flaw

1/31/2011 8:14:16 PM

if you only have to start spelling it right, why do you need to type "password" as opposed to just "pass" or even "p"

It actually kind of doesn't make sense.

1/31/2011 8:30:18 PM

^If the bolded portion of the quote above is correct you have to start by typing your full password for it to work - then it can be followed by anything.

So "p" would only work if your full password were "p"; "pass" would work if your full password were "p", "pa", "pas", or "pass"; "password" would work if your full password were "p", "pa", "pas", "pass", "passw", "passwo", "passwor", or "password".

Edit:

This doesn't seem to affect everyone. Theory in comments in link:

Quote :

"I'm wondering that too, but it's probably like this: Old system had a small max password length, say 8 chars, so they only hashed up to 8. Anyone with 8 char or longer passwords would then be affected by the bug, but those with 7 char passwords or less would be immune. "

[Edited on January 31, 2011 at 8:56 PM. Reason : -]

1/31/2011 8:46:43 PM

yeah my amazon password is retardedly simple and i'm not affected. oh well

2/1/2011 8:34:41 AM

Quote :

"According to Reddit users, the Amazon.com login system will actually accept any phrase so long as it begins with your password, such as "password123" when the magic word is simply "password" by itself. That apparently makes it that much easier for a computer to guess your password via brute force methods, no matter how counter-intuitive that seems"

Uh.... I don't see how this makes brute force attacks any easier. In the example given, I'd still have to check all permutations of 8 characters. Being able to throw crap on the end doesn't make it any easier.

...if it is as some are speculating (just taking the first 8 characters), then that's the actual flaw. I've seen several comments saying people are testing the flaw and can't get it to work.

[Edited on February 1, 2011 at 9:26 AM. Reason : asfasdfasd]

2/1/2011 9:21:38 AM

so my password is 10 characters long. and I tried appending another couple of characters to the password and it did not let me in.

2/1/2011 9:21:40 AM

Quote :

"According to Reddit users"

2/1/2011 9:30:48 AM