Amazon's Kindle security isn't top

  • Thread starter fluidistic
  • Start date
fluidistic
Gold Member
3,626
97

Main Question or Discussion Point

If one wants to buy ebooks or consult his own ebooks on his Kindle, he must link his Kindle with his Amazon account.
This means entering the password. The average Joe should use a password manager, and since Amazon allows extra characters to be used in the password, the average Joe should also use them, this can only increase security.

However the Kindle's keyboard cannot produce those characters. This means that one cannot fully use a Kindle unless one uses a "low security" password (I expect people to fire me down for saying that!).

Why allow extra/special characters for passwords if it's impossible to produce them in a Kindle? Where's the logic in that? Are people being paid to set Amazon's security?
 
Last edited:

Answers and Replies

Borek
Mentor
28,136
2,644
I can switch the keyboard on my Kindle to enter special characters, what am I missing?
 
fluidistic
Gold Member
3,626
97
I can switch the keyboard on my Kindle to enter special characters, what am I missing?
Can you enter any of those: ×, ÷, ¹ ?
 
DavidSnider
Gold Member
477
125
You can make your password harder to crack just by making it longer you don't need to use weird characters.

"B74C1EBA71B890AC00C5E7877F8962D84AFFE00B9EBFB1A446E8DFF87467F485" isn't going to be cracked.
 
Borek
Mentor
28,136
2,644
Can you enter any of those: ×, ÷, ¹ ?
No.

But to be honest, I have no idea how to enter them easily from my PC keyboard either, other than using character table or alt-num keypad combinations.
 
302
116
Passwords are a risk management exercise, and Kindles have a low attack footprint so even a simple text password (assuming it's not "Password" or "abc123" of course 😉 ) is sufficient to protect you. I'd be more concerned about loading non-Amazon apps or e-books compromising my Kindle than a password hack.
 
7,801
4,462
Are we talking about the same password that gives me access to my Amazon Prime Account, where I order lots of stuff?

We are urged to not re-use passwords because of security. But vendors like Amazon and Google force us to re-use passwords.

At the moment, I'm mad at Google. I use a password manager, so for many years I use a near max strength password for my important accounts. Those passwords are nearly impossible to type by hand. But now I own a Chromebook. I was alarmed that the access password to open the Chromebook is my Google password. I can't use the password manager before I get access to the device. So I was forced to change my Google password from max security to min security that I can type easily.

AFAIK, I have no choice to use a different passwords for Chromebook access and for my Google account.
 
302
116
It just occurred that 'Kindle' is an ambiguous term. I initially took that to mean your physical, standalone e-reader device. That has an independent password to your amazon.com account (which has MFA option that should be used) so knowing one does not necessarily mean anyone knows the other to access e-books. It does store your amazon.com password though, as that's needed at set up to associate your Kindle with your amazon.com account. It's not generally accessible afterward, however, so it's not as if a malicious user can work their way through Admin screens to uncover your amazon.com password.

The Kindle app on my phone does not ask for the amazon.com password once it's set up - on the basis that it's my phone and only me or people I trust should be using it, I guess - and I cannot see that you can set up an additional pass code or authentication. Similarly, the Amazon Shopping app, which is the one that can order "lots of stuff", has no obvious extra layer of protection once you've linked it with your amazon.com account. This is on Android, I can't say how iOS behaves.

As for your "mad at Google" issue, MS at least offers simpler access to the Windows 10 PC than getting you to retype your Microsoft Account password (as does Apple with an iPad - I don't have a Mac Book to compare to) so yes, it would be annoying that Google don't allow two layers to Chromebook access :frown:
 
fluidistic
Gold Member
3,626
97
Passwords are a risk management exercise, and Kindles have a low attack footprint so even a simple text password (assuming it's not "Password" or "abc123" of course 😉 ) is sufficient to protect you. I'd be more concerned about loading non-Amazon apps or e-books compromising my Kindle than a password hack.
You're missing the point that it is the Amazon's account password that needs to be of low entropy.

By the way, the remedy I have found was to modify my Amazon password to a "stupid simple" one, just for the few minutes to make the Kindle synchronization. Once this was done (and I got back my access to the ebooks I had bought!), I reset the Amazon password to an insanely complex, long and impossible to guess password for either a supercomputer or a human.
 
fluidistic
Gold Member
3,626
97
No.

But to be honest, I have no idea how to enter them easily from my PC keyboard either, other than using character table or alt-num keypad combinations.
As a rule of thumb, you should avoid typing any (but your password's manager passphrase) password manually. That's usually an indication of low password strength.
 
fluidistic
Gold Member
3,626
97
Are we talking about the same password that gives me access to my Amazon Prime Account, where I order lots of stuff?

We are urged to not re-use passwords because of security. But vendors like Amazon and Google force us to re-use passwords.

At the moment, I'm mad at Google. I use a password manager, so for many years I use a near max strength password for my important accounts. Those passwords are nearly impossible to type by hand. But now I own a Chromebook. I was alarmed that the access password to open the Chromebook is my Google password. I can't use the password manager before I get access to the device. So I was forced to change my Google password from max security to min security that I can type easily.

AFAIK, I have no choice to use a different passwords for Chromebook access and for my Google account.
I really feel your pain! I didn't know about this... This hurts man. I would ask on their forum/Google group if there's any way to bypass this problem. Could you use, say a Yubikey or something like that?
 
7,801
4,462
As a rule of thumb, you should avoid typing any (but your password's manager passphrase) password manually. That's usually an indication of low password strength.
True, unless it the PW you need to log into your device to log into your PW manager.

p.s. We have seen that biometrics are not a good solution to that problem either.
 
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
23,478
5,924
A good master password: MetaTHeC
A better master password: ymaKhAIRDeRi

A good site-specific password: d7vTHY@Vu1&&7f3As%vgL1PTv9G!d4sC
 
fluidistic
Gold Member
3,626
97
To pick a master password, I suggest to follow the now extremely famous xkcd (most famous one?): https://xkcd.com/936/.
For people like Borek, mix languages.
I would also separate words with different characters, like - and sometimes _.
Like "pokonam_traceless_sand-two2haha".
 
Borek
Mentor
28,136
2,644
I avoid characters outside from standard ASCII in passwords, I have seen them being misinterpreted way too many times. And coming from a country where letters ąćęłńóśźż are used all the time I have a lot of experience to draw from :(
 
7,801
4,462
A good master password: MetaTHeC
A better master password: ymaKhAIRDeRi

A good site-specific password: d7vTHY@Vu1&&7f3As%vgL1PTv9G!d4sC
You're missing the point. I can't make a PW to log into my Chromebook that is different from my Google account PW. So in that case Google forces the master PW and the site-specific PW to be the same. Others in this thread say that Amazon and Apple do the same.
 
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
23,478
5,924
You're right. I am missing the point, and that's a terrible, terrible plan on Google's part.
 
302
116
By the way, the remedy I have found was to modify my Amazon password to a "stupid simple" one, just for the few minutes to make the Kindle synchronization.
My Kindle allows me to enter 36 different symbol characters, plus all upper and lower case letters, plus 10 numerics, all of which I can also create on my PC keyboard, so this seems an unnecessary approach to resolving your concern about Kindle passwords not being strong enough. You asked previously whether Kindle can generate ×, ÷, and ¹ , which mine at least can't, but using them is not mandatory to strong password generation.

Your underlying issue seems to be: "I want to use symbols in my amazon.com account password that my Kindle keyboard does not let me type, therefore, I have to use a 'stupid simple' one for this operation."

Is that correct?
 
fluidistic
Gold Member
3,626
97
My Kindle allows me to enter 36 different symbol characters, plus all upper and lower case letters, plus 10 numerics, all of which I can also create on my PC keyboard, so this seems an unnecessary approach to resolving your concern about Kindle passwords not being strong enough. You asked previously whether Kindle can generate ×, ÷, and ¹ , which mine at least can't, but using them is not mandatory to strong password generation.

Your underlying issue seems to be: "I want to use symbols in my amazon.com account password that my Kindle keyboard does not let me type, therefore, I have to use a 'stupid simple' one for this operation."

Is that correct?
Not exactly.
My underlying issue is that I want to use the full set of allowed characters that Amazon.com allows for passwords. But it is then impossible to link a Kindle to that Amazon account. The fact that I remedied to this problem by picking an arbitrary stupid simple password for a few minutes is not the underlying issue.
 
Borek
Mentor
28,136
2,644
I understand what you are saying, but:

My underlying issue is that I want to use the full set of allowed characters that Amazon.com allows for passwords.
as I wrote earlier, using characters that are outside of the standard ASCII for passwords is jumping head first into troubles. You have just learned something that is obvious to almost everyone living outside of the anglosphere. We are cursing all English-speaking software developers for as long as I remember. Welcome to the club.
 
7,801
4,462
If I was writing the PW software, I would prevent problems with different keyboards on different devices by transforming all typed PW characters modulo 128. If that was so, even though you think you are typing exotic symbols, they actually map back into one of the original 7 bit ASCII characters.

But on second thought, doing that without informing the users in advance would be a bad practice, so maybe the don't do it.

Nevertheless, allowing PW characters that are not universal to nearly all keyboards is also asking for trouble. What would you do with ×, ÷, ¹ if you come to a device with an old touch-tone keypad or one with no keyboard, that said, "Please spell your password out loud into the microphone" ?
 
302
116
Idealism is wonderful...until you have implement it! As even your modulo thought experiment highlights.

My Dell PC does not have a ÷ key, creating what looks like a superscript 1 is a pain unless there is an icon for it (like in Word), and your × is too easy to confuse with x, so you are actually asking vendors to make problems for users by supporting uncommon chars. That introduces support load, decreases the customer experience, and complicates the code.

Ultimately, you can create a strong password using a sufficient number of symbols for your amazon.com account on any of their devices and supported platforms and complaining that every possible character combination is not supported across the board seems churlish.
 
Last edited:
fluidistic
Gold Member
3,626
97
If I was writing the PW software, I would prevent problems with different keyboards on different devices by transforming all typed PW characters modulo 128. If that was so, even though you think you are typing exotic symbols, they actually map back into one of the original 7 bit ASCII characters.

But on second thought, doing that without informing the users in advance would be a bad practice, so maybe the don't do it.

Nevertheless, allowing PW characters that are not universal to nearly all keyboards is also asking for trouble. What would you do with ×, ÷, ¹ if you come to a device with an old touch-tone keypad or one with no keyboard, that said, "Please spell your password out loud into the microphone" ?
But the Amazon case is very different from the case you describe. That company sells only specific devices without any keyboard (Kindles and other devices without keyboard, though I don't know if they can be linked to the Amazon account) and request you to type in your Amazon password to make a link to your Amazon account. They use a virtual keyboard that allows extra characters, but not the full set of characters they allow for their password and this is precisely my critics. They are at fault there, regardless of the security reachable without those few extra characters.
As said above, you do not want to actually type in your password manually. It doesn't matter whether your keyboard can produce those characters. What matters is that your password manager can output them and that they are tolerated/allowed/encouraged by Amazon. If, for some reasons, the password manager cannot be accessed on that specific device, then for heaven's sake, at least include all the allowed characters in that virtual keyboard. I mean, what does it cost to the Amazon Security developers? A 1 minute Stack Overflow search to fall over a copy/paste solution?
 
Borek
Mentor
28,136
2,644
I mean, what does it cost to the Amazon Security developers? A 1 minute Stack Overflow search to fall over a copy/paste solution?
You first have to be aware of the existence of the problem. Anglophones aren't.

Other than that you are perfectly right 😉
 
302
116
They use a virtual keyboard that allows extra characters, but not the full set of characters they allow for their password and this is precisely my critics. They are at fault there, regardless of the security reachable without those few extra characters.
Yes they are, but it's a small crime in the scheme of things.

Most amazon.com account holders won't have a Kindle device so while it might be a "1 minute Stack Overflow search" (it won't be, but I understand your intent) the use-case applies to a limited number of customers in total, and an even smaller number who trip over this issue in actuality.

And you know, I'd vote for Amazon to put dev effort into weeding out fake reviews over aligning their password character set. I blogged about this earlier this year, because it's seriously annoying!
 

Related Threads for: Amazon's Kindle security isn't top

  • Last Post
Replies
1
Views
2K
Replies
5
Views
22K
  • Last Post
Replies
7
Views
9K
  • Last Post
Replies
1
Views
7K
Replies
6
Views
3K
  • Last Post
Replies
14
Views
39K
Replies
3
Views
663
  • Last Post
Replies
13
Views
11K
Top