Amazon.com has faced a serious security flaw that allows users to log in with passwords that are close but not exact.
This is caused by the use of the crypt() function that has many flaws.
crypt() is the password encryption function. It is based on the Data
Encryption Standard algorithm with variations intended (among other things) to
discourage use of hardware implementations of a key search.
key is a user’s typed password.
salt is a two-character string chosen from the set [a-zA-Z0-9./]. This string
is used to perturb the algorithm in one of 4096 different ways.
The function takes in two arguments as key and salt. The basic operation of the function is hugely flawed as it converts all the characters to upper case at first and then considering only the first 8 characters.
The uppercase conversion eliminates a whole 26 letters from the supported character set, and the usage of only the first eight characters are a further blow. In short, the possible number of combinations for a password with crypt are just 36 powered to 8, whereas, it should have been 62 powered to 8.
Effectively, whenever you write a password longer than 8 characters, it is read only uto the first 8 characters and the rest does not matter. Neither does the case as it is converted to uppercase before storage.
We should all wake up and seriously stop using methods like these. Another popular method used to hash passwords MD5 also does not match the current processing powers and has an easily breakable hash. The crypt function uses DES, which is defunct itself. Security needs to upgrade. We are living in an era where hardware growth has surpassed Moore’s Law. Security upgrades are needed imminently and we need to wake up now.
(Image source: Punkinsite)