NEWS FROM THE LAB - Tuesday, March 29, 2011

Amazon's Password Policy Sucks Posted by Sean @ 19:10 GMT

Dear Jeff Bezos,

As a longtime Amazon customer, I just tried the new Amazon Cloud Player powered by Amazon Cloud Drive with great expectations.

And I have to say — pretty neat.

Amazon Cloud Drive

"All customers start with 5 GB of free Cloud Drive storage to get started. For a limited time, get a free upgrade to 20 GB of Cloud Drive storage with an MP3 album purchase."

Wow. 5 gigabytes with a free upgrade to 20 GB? That's awesome.

I only have one huge problem with it…

Amazon's password policy is seriously lacking.

This is the message generated when somebody attempts to set their password to "password" or "123456".

Amazon Password

Wait. What?!? Success… for password and 123456?

Well geez, at least Amazon's password policy doesn't accept "1234".

Amazon Problem

Look, Amazon has decent defenses in place to prevent somebody from hacking an account and then shipping products to a new address. For that, the attacker needs the entire credit card number and other details.

But now you've moved the product into the cloud! Shipping isn't required.

Gigabytes of online storage connected to a credit card will be a really tempting target for hackers. And because Amazon accounts are based on e-mail addresses… hackers won't even have to phish Amazon directly. They can just phish e-mail accounts and then try the same password at amazon.com.

— Another thing —

I just tried accessing my account using the wrong password more than ten times!

Just when do the brute force defenses kick-in?

I used the correct password on my 12th attempt (or so) and was then given direct access.

Listen, I really appreciate my new cloud drive.

I just don't think I'll be using it for much until you enact some better safeguards to protect it.

Sean Sullivan