kindle passwords only 8 characters

[geekmaster]

UPDATE: This only applies to original default passwords, which use 8-character DES encryption. Any passwords changed with the "passwd" command use MD5 encryption that hashes all the password characters.

For kindle default login passwords (SSH, scp or serial port logins), the passwords are truncated to 8 characters.

That means that when I said in the past that passwords are mario or fionaXXX (3 lowercase hex digits), I was correct.

Of course, you can type as many extra random characters as you need to make you happy.

On some kindles, the root password is mario. On all of the kindles I have tested, there is also a framework user, with password mario.

So if you need to login and your root password is not working, you can login as user framework and get the root password with this command:

echo fiona$(grep Serial /proc/cpuinfo|cut -b12-27|md5sum|cut -b8-10)

Code:

$ ssh framework@192.168.15.244
framework@192.168.15.244's password: mario
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[framework@kindle framework]$ echo fiona$(grep Serial /proc/cpuinfo|cut -b12-27|md5sum|cut -b8-10)
fiona62b
[framework@kindle framework]$ exit
$ ssh root@192.168.15.244
root@192.168.15.244's password: fiona62b
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]# exit
$ ssh root@192.168.15.244
root@192.168.15.244's password: fiona62bhello
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]#

[mc2739]

Quote:

Originally Posted by geekmaster

For kindle login passwords (SSH, scp or serial port logins), the passwords are truncated to 8 characters.

I'm not sure about other Kindles, but this statement is not entirely true for the Kindle Touch.

I have changed the password on my Touch to a length of greater than eight characters and logging in using ssh and scp require all characters to be entered.

I cannot verify serial port logins since I have not opened my Touch and do not have a serial cable.

[thatworkshop]

Quote:

Originally Posted by mc2739

I'm not sure about other Kindles, but this statement is not entirely true for the Kindle Touch.

I have changed the password on my Touch to a length of greater than eight characters and logging in using ssh and scp require all characters to be entered.

I cannot verify serial port logins since I have not opened my Touch and do not have a serial cable.

Read his post again. No matter how long you type the password, the first 8 characters are considered as password (I verify this).

[geekmaster]

Previously, I tested this using the SSH command on multiple kindles. My Touch has /usr/local copied from the diags partition. I know that the passwords on all my kindles (multple K3s, DX, DXG, multiple K4NT, and Touch) are all either mario or fionaXXX (3 hex digits), because I cracked them all using John the Ripper.

On the K4NT and Touch, when I SSH in I can type extra characters after the 8 character password. On K3 and earlier using the SSH hack, I cannot type extra characters.

This time I tried using the "login" command to test passwords in an SSH session on the Touch. I found that "login" from a command prompt does not accept extra characters, but SSH does.

I also tried changing my touch root password to "123456789". Now the login command requires the full 9 characters. SSH also required all 9 characters. Then I changed it to "12345678". The login command only worked with 8 characters, and SSH only works with 8 characters.

I also tried changing the password back to my original fionaXXX password, and it only worked as 8 characters. The shadow file does not match my original backup copy even with the same password. It is probably using a salt.

I then changed my root password to the 9 character computed fionaXXXX password, and only 9 characters works.

So, there is something special about default passwords, that allows extra characters to be appended to them. User created passwords are sensitive to length.

I copied my original shadow file back, and now I can type optional extra characters after fionaXXX.

Perhaps the different behavior has something to do with salted or unsalted password hashes, or it uses a different hash encryption type. Whatever the ORIGINAL uses only cares about the first 8 characters.

[geekmaster]

Quote:

Originally Posted by mc2739

I'm not sure about other Kindles, but this statement is not entirely true for the Kindle Touch.

I have changed the password on my Touch to a length of greater than eight characters and logging in using ssh and scp require all characters to be entered.

I cannot verify serial port logins since I have not opened my Touch and do not have a serial cable.

I added an update to the original post. The behavior that I described only applies to original default passwords. Any passwords changed with the "passwd" command are length-sensitive. Perhaps they use a different password encryption type that hashes more than the first 8 characters.

[geekmaster]

I see that the kindle "passwd" command creates passwords that start with "$1$". According to Wikipedia, that indicates "modular" encryption using MD5 encryption with a salt:
http://en.wikipedia.org/wiki/Crypt_(Unix)

The original default root password does not start with "$", so it uses the traditional DES which truncates the password to 8 characters.

So, it turns out that both of my guesses were correct, as to why user-created passwords behave different from default root passwords.

[mc2739]

@cscat

Since I have changed my password using the passwd command, that is not true on my Touch. I can only login successfully with the exact password. I cannot login with only the first eight characters, nor with added characters.

@geekmaster

Thanks for clarifying the first post. It is now clear that you meant default passwords.

[knc1]

Suggestion withdrawn,

[geekmaster]

Quote:

Originally Posted by knc1

Almost.
I would suggest: "uses an encryption method" rather than "use MD5".



A better source than Wikipedia is the man(ual) command on the system of interest.
In this case: man 3 crypt

There you find that the list of "standard" ids may be locally supplimented by locally provided authentication methods.

I realize that embedded systems often do not have the documents installed (to save space) so sometimes you have to refer to a system (using the same version of libraries) that does have the documentation installed.

I suggest that just generalizing the BIG RED NOTE is probably the best advice to give here.

What are you talking about? I am talking about Kindle passwords. A better source than some man page that may not be current or correct is the GPL source code from amazon. In the Kindle 4.0.1 source code, the passwd.c module of busybox uses a flag called "algo", where if FALSE it uses DES, and if TRUE it uses MD5 with salt of "$1$", which agrees with wikipedia.

I grow weary of people trying to correct my information with their own inaccurate or incorrect information, without doing adequate research first. This happens on IRC too.

[knc1]

Punishment accepted

[varnie]

thanks for sharing the information, geekmaster!
it helped me to root into KT (just jailbroke it!).

[geekmaster]

Quote:

Originally Posted by varnie

thanks for sharing the information, geekmaster!
it helped me to root into KT (just jailbroke it!).

Sharing is a pillar of civilization. We could not "stand on the shoulder's of giants" if people took their biggest and best secrets to the grave.