Amazon Login May Accept Password Variants

Martin Brinkmann
Jan 31, 2011
Updated • Jan 4, 2018
Amazon, Companies, Security

The online shopping portal Amazon may accept password variants during login according to the German technology news site Heise Online. According to the information published there, Amazon may accept passwords that are not the exact password of the user account. The login script may ignore upper and lower case as well as characters after the eights position. Amazon would for instance accept the original password "Password123" but also "password" or "password123".

Not all Amazon accounts are affected by the security issue. According to Heise, only passwords that have not been changed for a long time are affected.

The only information available at this point in time is a test that Heise Online conducted. It revealed that a password that was changed last year was immune while older passwords were not. Some commenters in the forum were able to use password variants on accounts were passwords had not been changed since 2007.

Amazon users can test the vulnerability of their account by logging into Amazon. They could for instance change a lower case character to upper case, or append characters at the end of the password if it exceeds eight characters.

Affected accounts can be protected by changing the account password. Passwords are changed in the Change Name, E-mail Address, or Password setting under Your Account.

Update: It needs to be noted that the flaw still exists on all Amazon properties. Amazon customers who have been with the popular shopping portal for years need to change their passwords at the Amazon website to protect their account from the flaw in design.

It appears as if Amazon has changed the password functions on their sites in past years to protect new customers and those who change their passwords from the issue.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Stevie said on September 1, 2011 at 12:37 pm

    I noticed this issue before reading this artical and contacted Amazon who have more or less ignored me for the past two weeks. I have finally got so frustrated that I have closed my Amazon account. Considering that my credit card details were stored in my account I would have thought that Amazon would have take password validation much more seriously.

    Totally annoyed with the response to this issue by Amazon that I will never use them again for online shopping.

  2. MRK said on February 20, 2011 at 11:48 pm

    The progress of Idiocracy sometimes even surprises me.
    I am sure that this is not true – aha, yes, it’s a bug:
    However with no Google info on the past week, I am beginning to wonder…

  3. Dan said on January 31, 2011 at 12:35 pm

    Wow, this is just dumb. Unlike other websites (e.g. Gawker), Amazon is a commerce site and may contain sensitive financial or personal info of its users.

    If someone doesn’t use his account, delete it, not make it easier to hack into. If someone can’t access his account, then he should just make a new one. Unless he has an affiliate account or unused store credits, there is really no reason not to start afresh.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.