Amazon not checking passwords properly or password bug?
I just tried to log in to my Amazon account and didn’t notice Chrome had already pre-filled in my password so I ended up typing my password on the end of the pre-filled password and in my rush hit Enter…it logged me in!? WTF?
I logged out of my Amazon account and tried logging in with a completely incorrect password and it was rejected. I then tried with my correct password but added some arbtry numbers to the end (123456) and it still logged me in! Seriously? If your password is only X characters long, Amazon only check the first X characters that you have entered in the password field?
If your Amazon password is helloworld (mine’s not that btw) and you tried to log in using helloworld123456 it accepts it as your password, it’s not even respecting case sensitivity and is accepting HELLOWORLD. Likewise if you enter any of the following in the password field it will accept it and log you in:
Is this normal password verification behaviour? That’s the sort of password verification that I’d lose marks for implementing in my university coursework, not the kind of verification I’d expect from the World’s largest online retailer.
On Amazon’s help page there is a “Protect Your Password” section that states:
- Passwords are case sensitive. For instance, “PASSWORD” and “Password” are two different passwords.When choosing a password, remember the capitalisation you use.
- Passwords must be a minimum of six characters
UPDATE: I’ve just tried it on 3 different machines using Chrome and Internet Explorer and they were 3 workstations I’d never used before and it let me in. I then asked two other amazon users to try and it rejects anything but their exact passwords and is case sensitive for them.
Why would my account be different?
I just called Amazon help line and call centre lady suggested I try changing password to see if that helps. I told her I wanted to know why this was happening and get an answer from their web dev team before I change anything on the account. No point trying to change password, if that does resolve it then there’s nothing for their dev team to investigate.
UPDATE 2: It looks like this is a known issue and Amazon are yet to roll out a fix after it was first reported a year ago. It’s from an old password policy that flattened passwords so they were no longer case sensitive and also only the first 8 characters were checked.
THE FIX: Simply using the change password facility from your account section in Amazon and changing the password to the same thing it currently is will fix this issue. Why Amazon haven’t rolled out a background fix for this in the year they’ve known about it is beyond me.