Amazon.com Security Flaw Accepts Passwords That Are Close, But Not Exact

The comment thread on Reddit, which the article references, is definitely worth reading. There's some good discussion about the difficulties involved in upgrading people's hashes to use a more secure system (eg: <a href="http://www.reddit.com/r/WTF/comments/f96w7/amazon_security_flaw_wtf/c1e9750" rel="nofollow">http://www.reddit.com/r/WTF/comments/f96w7/amazon_security_f...</a>)

Is there a good way to update passwords to a new encryption scheme? the article tries to ding amazon for failing to do this, but I can't think of a way to reinforce the passwords without announcing that there's a flaw in the implementation. Is there a standard way around this?

If done deliberately, could this be a useful feature so that users can typo a password (say levenshtein distance &#60;= 1 or 2) and still login? Obviously the major downside is that you would need a longer password to get the same level of security and it could be difficult to implement especially since the password should be hashed. Is this feasible? I'm guessing the answer is no, but was wondering what other people thought.

My guess is the average Amazon user isn't going over 8 characters and aren't using multi-case passwords to begin with. While stronger passwords would be ideal, most non-savy people are still going with "password", "letmein" and "123456" which aren't secure under any hashing schema.

Want to bet they didn't fix this until now because they knew it would lower purchase conversion rate?

Passwords on the Dutch banking site ing.nl are also case insensitive, though there hasn't been any public reaction to that.

I reported the same flaw for <a href="http://utd.edu" rel="nofollow">http://utd.edu</a>. They didn't seem to care.

This sounds like a feature to me. :)

What exactly does this hurt? It cuts down on customer-support traffic, makes life easier for the user, and (as far as I can imagine at least) doesn't make anyone any more vulnerable. Under a fuzzy comparison scheme, weak passwords are still weak, and strong passwords will still be strong.

I couldn't replicate the article's results for the 8 character cutoff, but I did verify my password is case insensitive. For the record, I registered in 1996 or so, and probably haven't changed my password since.