Serious Security Flaw in Amazon.com Passwords
By on January 31st, 2011

Amazon.com has faced a serious security flaw that allows users to log in with passwords that are close but not exact.
amazon-security
This is caused by the use of the crypt() function that has many flaws.

crypt() is the password encryption function. It is based on the Data
Encryption Standard algorithm with variations intended (among other things) to
discourage use of hardware implementations of a key search.

key is a user’s typed password.

salt is a two-character string chosen from the set [a-zA-Z0-9./]. This string
is used to perturb the algorithm in one of 4096 different ways.

The function takes in two arguments as key and salt. The basic operation of the function is hugely flawed as it converts all the characters to upper case at first and then considering only the first 8 characters.

The uppercase conversion eliminates a whole 26 letters from the supported character set, and the usage of only the first eight characters are a further blow. In short, the possible number of combinations for a password with crypt are just 36 powered to 8, whereas, it should have been 62 powered to 8.

Effectively, whenever you write a password longer than 8 characters, it is read only uto the first 8 characters and the rest does not matter. Neither does the case as it is converted to uppercase before storage.

We should all wake up and seriously stop using methods like these. Another popular method used to hash passwords MD5 also does not match the current processing powers and has an easily breakable hash. The crypt function uses DES, which is defunct itself. Security needs to upgrade. We are living in an era where hardware growth has surpassed Moore’s Law. Security upgrades are needed imminently and we need to wake up now.

(Image source: Punkinsite)

Tags:
Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
    Warning: call_user_func() expects parameter 1 to be a valid callback, function 'advanced_comment' not found or invalid function name in /home/keith/techie-buzz.com/htdocs/wp-includes/comment-template.php on line 1694
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN