Amazon not checking passwords properly or password bug?

I just tried to log in to my Amazon account and didn’t notice Chrome had already pre-filled in my password so I ended up typing my password on the end of the pre-filled password and in my rush hit Enter…it logged me in!? WTF?

I logged out of my Amazon account and tried logging in with a completely incorrect password and it was rejected. I then tried with my correct password but added some arbtry numbers to the end (123456) and it still logged me in! Seriously? If your password is only X characters long, Amazon only check the first X characters that you have entered in the password field?

For Example:

If your Amazon password is helloworld (mine’s not that btw) and you tried to log in using helloworld123456 it accepts it as your password, it’s not even respecting case sensitivity and is accepting HELLOWORLD. Likewise if you enter any of the following in the password field it will accept it and log you in:

  • helloworldhelloworld
  • helloworldblahblahblah
  • helloworld_this_is_not_very_secure_surely
  • HELLOWORLD
  • HeLlOwORldABC123

Is this normal password verification behaviour? That’s the sort of password verification that I’d lose marks for implementing in my university coursework, not the kind of verification I’d expect from the World’s largest online retailer.

On Amazon’s help page there is a “Protect Your Password” section that states:

  • Passwords are case sensitive. For instance, “PASSWORD” and “Password” are two different passwords.When choosing a password, remember the capitalisation you use.
  • Passwords must be a minimum of six characters

UPDATE: I’ve just tried it on 3 different machines using Chrome and Internet Explorer and they were 3 workstations I’d never used before and it let me in. I then asked two other amazon users to try and it rejects anything but their exact passwords and is case sensitive for them.

Why would my account be different?

I just called Amazon help line and call centre lady suggested I try changing password to see if that helps. I told her I wanted to know why this was happening and get an answer from their web dev team before I change anything on the account. No point trying to change password, if that does resolve it then there’s nothing for their dev team to investigate.

UPDATE 2: It looks like this is a known issue and Amazon are yet to roll out a fix after it was first reported a year ago. It’s from an old password policy that flattened passwords so they were no longer case sensitive and also only the first 8 characters were checked.

THE FIX: Simply using the change password facility from your account section in Amazon and changing the password to the same thing it currently is will fix this issue. Why Amazon haven’t rolled out a background fix for this in the year they’ve known about it is beyond me.

3 Replies to “Amazon not checking passwords properly or password bug?”

  1. Amazon is not checking passwords properly, genuine ones get rejected. Amazon should tune up its system.

    Postage charged is disproportionate to the cost of the item.
    Excuse: it is outside of Amazon. This is very unfair.
    Book costing $ 1.25, postage in excess of$13.00. Very bad Amazon should refuse to sell such items on ground of equity.
    Remember: What was Amazon founded for? Not to deprive the public on ground of very high postage. Whole object is defeated.

  2. I googled trying to find out if I was crazy or not. I noticed this a while ago. My password for amazon had a number… but it’s the same password I use elsewhere with more numbers added. So one day instead of password1 I typed in password123 by accident. Oops, I thought! but it logged me in anyway. I can type in password1, password123, password with NO numbers etc and bam. Logged in…
    I also today just did the double password thing. Boggles my brain. At first I thought it was just something with my phone app, but I saw today it happened on my browser as well. Crazy they don’t try to fix this.

Leave a Reply