Amazon security flaw?

jocampo · 01-31-2011, 08:46 AM

Changing password is been advised...

http://m.engadget.com/default/articl...sic&postPage=1

Histerius · 01-31-2011, 09:19 AM

Those who choose "password" for password deserved to wake up with deleted/stolen/destroyed account.

jocampo · 01-31-2011, 11:12 AM

Quote:

Originally Posted by Histerius

Those who choose "password" for password deserved to wake up with deleted/stolen/destroyed account.

Agree! but almost sure, we do have folks here that fall under that category ;-)

Tiersten · 01-31-2011, 11:29 AM

Its not specifically "password" as a password that is the problem. It means it will only look at the first 8 characters of your password. This only occurs if you've not changed your password recently. If you've got a decent password then you're still fairly safe anyway but go change it anyway just to be sure.

The technical reason for this is that Amazon changed the way they hash passwords at some point in the past. The original system only cared about the first 8 characters only. The new system looks at the whole password. Its hashed because they don't want peoples passwords sitting around in their database in the clear. They can't convert from the old system to the new system as they don't store your original password.

snipenekkid · 01-31-2011, 12:32 PM

this is not that serious of an issue really. From my take on the article is that using a stronger long password was of no real benefit in the past as Amazon only used the first eight characters. These were still encrypted and one was and still is on an encrypted secure page when to logging into the account.

And while an eight character password can be cracked more quickly, it's not as if Amazon doesn't have detection protocols in place to monitor repeated attempts to sleuth out a password. It will still take anyone trying to crack a password a fairly long time unless someone uses a very weak password anyway, and even then it's not like they will get it in the first try or even the first 10,000 attempts or even the first 100,000 attempts. Leaving Amazon's own security protocols to detect the attempts and freeze the access.

So I am willing to bet that the vast majority of people who have not changed their password in the past couple years are likely just as safe as those who have, when looking at it from a practical point of view.

In fact the odds are far more likely your password would be obtained via some sort of spyware infection of your PC using a keyboard logger than having your account on Amazon directly hacked. And in such a case changing to a stronger password is of zero value to increase the protection of your account.

I mean just to add a bit of perspective here. Too much is made of these sort of things or at least the focus is not on the truly weak link which is the end user themselves. And no amount of increased security can cover for a user who simply does not keep things on their end secure as they can.

Histerius · 01-31-2011, 07:45 PM

I agree with all you said. First, editors allow anything to go out in newspaper or website these days (now I'm talking against my own profession

) and they are trying to make a sensation out of anything, and second, you wouldn' belive how many system administrators in big companies choose "password" or their name for password.

ManosHandsOfFate · 02-01-2011, 04:30 PM

Quote:

Originally Posted by Histerius

Those who choose "password" for password deserved to wake up with deleted/stolen/destroyed account.

No we don't!

01-31-2011, 08:46 AM	#1
jocampo Layback feline Posts: 3,034 Karma: 6980745 Join Date: Nov 2010 Location: USA Device: Oasis 2nd gen, Sony DPTS1, iPad Pro 10.5"	Amazon security flaw? Changing password is been advised... http://m.engadget.com/default/articl...sic&postPage=1 Last edited by jocampo; 01-31-2011 at 11:13 AM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Why Calibre has a flaw (to me)	cfp	Calibre	46	09-19-2010 06:40 AM
Is this just a flaw with e-books or am I doing something wrong?	rick98761	Amazon Kindle	4	01-05-2010 08:01 PM
MAJOR FLAW in the Amazon Kindle	sirmaru	Amazon Kindle	76	12-06-2007 01:47 PM
Adobe patches latest Reader security flaw	Alexander Turcic	Reading and Management	11	10-29-2007 04:56 PM

01-31-2011, 09:19 AM	#2
Histerius Zealot Posts: 126 Karma: 7922 Join Date: Jan 2011 Location: Zagreb, Croatia Device: Kindle 3 - Galaxy Tab 10.1	Those who choose "password" for password deserved to wake up with deleted/stolen/destroyed account.

01-31-2011, 11:29 AM	#4
Tiersten Guru Posts: 987 Karma: 8641 Join Date: Aug 2010 Device: Kindle 3G+WiFi	Its not specifically "password" as a password that is the problem. It means it will only look at the first 8 characters of your password. This only occurs if you've not changed your password recently. If you've got a decent password then you're still fairly safe anyway but go change it anyway just to be sure. The technical reason for this is that Amazon changed the way they hash passwords at some point in the past. The original system only cared about the first 8 characters only. The new system looks at the whole password. Its hashed because they don't want peoples passwords sitting around in their database in the clear. They can't convert from the old system to the new system as they don't store your original password.

01-31-2011, 12:32 PM	#5
snipenekkid Banned Posts: 760 Karma: 51034 Join Date: Feb 2009	this is not that serious of an issue really. From my take on the article is that using a stronger long password was of no real benefit in the past as Amazon only used the first eight characters. These were still encrypted and one was and still is on an encrypted secure page when to logging into the account. And while an eight character password can be cracked more quickly, it's not as if Amazon doesn't have detection protocols in place to monitor repeated attempts to sleuth out a password. It will still take anyone trying to crack a password a fairly long time unless someone uses a very weak password anyway, and even then it's not like they will get it in the first try or even the first 10,000 attempts or even the first 100,000 attempts. Leaving Amazon's own security protocols to detect the attempts and freeze the access. So I am willing to bet that the vast majority of people who have not changed their password in the past couple years are likely just as safe as those who have, when looking at it from a practical point of view. In fact the odds are far more likely your password would be obtained via some sort of spyware infection of your PC using a keyboard logger than having your account on Amazon directly hacked. And in such a case changing to a stronger password is of zero value to increase the protection of your account. I mean just to add a bit of perspective here. Too much is made of these sort of things or at least the focus is not on the truly weak link which is the end user themselves. And no amount of increased security can cover for a user who simply does not keep things on their end secure as they can.

01-31-2011, 07:45 PM	#6
Histerius Zealot Posts: 126 Karma: 7922 Join Date: Jan 2011 Location: Zagreb, Croatia Device: Kindle 3 - Galaxy Tab 10.1	I agree with all you said. First, editors allow anything to go out in newspaper or website these days (now I'm talking against my own profession ) and they are trying to make a sensation out of anything, and second, you wouldn' belive how many system administrators in big companies choose "password" or their name for password.