Amazon's Kindle security isn't top

[fluidistic]

If one wants to buy ebooks or consult his own ebooks on his Kindle, he must link his Kindle with his Amazon account.
This means entering the password. The average Joe should use a password manager, and since Amazon allows extra characters to be used in the password, the average Joe should also use them, this can only increase security.

However the Kindle's keyboard cannot produce those characters. This means that one cannot fully use a Kindle unless one uses a "low security" password (I expect people to fire me down for saying that!).

Why allow extra/special characters for passwords if it's impossible to produce them in a Kindle? Where's the logic in that? Are people being paid to set Amazon's security?

 

[Borek]

I can switch the keyboard on my Kindle to enter special characters, what am I missing?

 

[fluidistic]

I can switch the keyboard on my Kindle to enter special characters, what am I missing?

Can you enter any of those: ×, ÷, ¹ ?

 

[DavidSnider]

You can make your password harder to crack just by making it longer you don't need to use weird characters.

"B74C1EBA71B890AC00C5E7877F8962D84AFFE00B9EBFB1A446E8DFF87467F485" isn't going to be cracked.

 

[Borek]

Can you enter any of those: ×, ÷, ¹ ?

No.

But to be honest, I have no idea how to enter them easily from my PC keyboard either, other than using character table or alt-num keypad combinations.

 

[member 656954]

Passwords are a risk management exercise, and Kindles have a low attack footprint so even a simple text password (assuming it's not "Password" or "abc123" of course ) is sufficient to protect you. I'd be more concerned about loading non-Amazon apps or e-books compromising my Kindle than a password hack.

 

[anorlunda]

Are we talking about the same password that gives me access to my Amazon Prime Account, where I order lots of stuff?

We are urged to not re-use passwords because of security. But vendors like Amazon and Google force us to re-use passwords.

At the moment, I'm mad at Google. I use a password manager, so for many years I use a near max strength password for my important accounts. Those passwords are nearly impossible to type by hand. But now I own a Chromebook. I was alarmed that the access password to open the Chromebook is my Google password. I can't use the password manager before I get access to the device. So I was forced to change my Google password from max security to min security that I can type easily.

AFAIK, I have no choice to use a different passwords for Chromebook access and for my Google account.

 

[member 656954]

It just occurred that 'Kindle' is an ambiguous term. I initially took that to mean your physical, standalone e-reader device. That has an independent password to your amazon.com account (which has MFA option that should be used) so knowing one does not necessarily mean anyone knows the other to access e-books. It does store your amazon.com password though, as that's needed at set up to associate your Kindle with your amazon.com account. It's not generally accessible afterward, however, so it's not as if a malicious user can work their way through Admin screens to uncover your amazon.com password.

The Kindle app on my phone does not ask for the amazon.com password once it's set up - on the basis that it's my phone and only me or people I trust should be using it, I guess - and I cannot see that you can set up an additional pass code or authentication. Similarly, the Amazon Shopping app, which is the one that can order "lots of stuff", has no obvious extra layer of protection once you've linked it with your amazon.com account. This is on Android, I can't say how iOS behaves.

As for your "mad at Google" issue, MS at least offers simpler access to the Windows 10 PC than getting you to retype your Microsoft Account password (as does Apple with an iPad - I don't have a Mac Book to compare to) so yes, it would be annoying that Google don't allow two layers to Chromebook access

 

[fluidistic]

Passwords are a risk management exercise, and Kindles have a low attack footprint so even a simple text password (assuming it's not "Password" or "abc123" of course ) is sufficient to protect you. I'd be more concerned about loading non-Amazon apps or e-books compromising my Kindle than a password hack.

You're missing the point that it is the Amazon's account password that needs to be of low entropy.

By the way, the remedy I have found was to modify my Amazon password to a "stupid simple" one, just for the few minutes to make the Kindle synchronization. Once this was done (and I got back my access to the ebooks I had bought!), I reset the Amazon password to an insanely complex, long and impossible to guess password for either a supercomputer or a human.

 

[fluidistic]

No.

But to be honest, I have no idea how to enter them easily from my PC keyboard either, other than using character table or alt-num keypad combinations.

As a rule of thumb, you should avoid typing any (but your password's manager passphrase) password manually. That's usually an indication of low password strength.

 

[fluidistic]

Are we talking about the same password that gives me access to my Amazon Prime Account, where I order lots of stuff?

We are urged to not re-use passwords because of security. But vendors like Amazon and Google force us to re-use passwords.

At the moment, I'm mad at Google. I use a password manager, so for many years I use a near max strength password for my important accounts. Those passwords are nearly impossible to type by hand. But now I own a Chromebook. I was alarmed that the access password to open the Chromebook is my Google password. I can't use the password manager before I get access to the device. So I was forced to change my Google password from max security to min security that I can type easily.

AFAIK, I have no choice to use a different passwords for Chromebook access and for my Google account.

I really feel your pain! I didn't know about this... This hurts man. I would ask on their forum/Google group if there's any way to bypass this problem. Could you use, say a Yubikey or something like that?

 

[anorlunda]

As a rule of thumb, you should avoid typing any (but your password's manager passphrase) password manually. That's usually an indication of low password strength.

True, unless it the PW you need to log into your device to log into your PW manager.

p.s. We have seen that biometrics are not a good solution to that problem either.

 

[Vanadium 50]

A good master password: MetaTHeC
A better master password: ymaKhAIRDeRi

A good site-specific password: d7vTHY@Vu1&&7f3As%vgL1PTv9G!d4sC

 

[fluidistic]

To pick a master password, I suggest to follow the now extremely famous xkcd (most famous one?): https://xkcd.com/936/.
For people like Borek, mix languages.
I would also separate words with different characters, like - and sometimes _.
Like "pokonam_traceless_sand-two2haha".

 

[Borek]

I avoid characters outside from standard ASCII in passwords, I have seen them being misinterpreted way too many times. And coming from a country where letters ąćęłńóśźż are used all the time I have a lot of experience to draw from :(

 

[anorlunda]

A good master password: MetaTHeC
A better master password: ymaKhAIRDeRi

A good site-specific password: d7vTHY@Vu1&&7f3As%vgL1PTv9G!d4sC

You're missing the point. I can't make a PW to log into my Chromebook that is different from my Google account PW. So in that case Google forces the master PW and the site-specific PW to be the same. Others in this thread say that Amazon and Apple do the same.

 

[Vanadium 50]

You're right. I am missing the point, and that's a terrible, terrible plan on Google's part.

 

[member 656954]

By the way, the remedy I have found was to modify my Amazon password to a "stupid simple" one, just for the few minutes to make the Kindle synchronization.

My Kindle allows me to enter 36 different symbol characters, plus all upper and lower case letters, plus 10 numerics, all of which I can also create on my PC keyboard, so this seems an unnecessary approach to resolving your concern about Kindle passwords not being strong enough. You asked previously whether Kindle can generate ×, ÷, and ¹ , which mine at least can't, but using them is not mandatory to strong password generation.

Your underlying issue seems to be: "I want to use symbols in my amazon.com account password that my Kindle keyboard does not let me type, therefore, I have to use a 'stupid simple' one for this operation."

Is that correct?

 

[fluidistic]

My Kindle allows me to enter 36 different symbol characters, plus all upper and lower case letters, plus 10 numerics, all of which I can also create on my PC keyboard, so this seems an unnecessary approach to resolving your concern about Kindle passwords not being strong enough. You asked previously whether Kindle can generate ×, ÷, and ¹ , which mine at least can't, but using them is not mandatory to strong password generation.

Your underlying issue seems to be: "I want to use symbols in my amazon.com account password that my Kindle keyboard does not let me type, therefore, I have to use a 'stupid simple' one for this operation."

Is that correct?

Not exactly.
My underlying issue is that I want to use the full set of allowed characters that Amazon.com allows for passwords. But it is then impossible to link a Kindle to that Amazon account. The fact that I remedied to this problem by picking an arbitrary stupid simple password for a few minutes is not the underlying issue.

 

[Borek]

I understand what you are saying, but:

My underlying issue is that I want to use the full set of allowed characters that Amazon.com allows for passwords.

as I wrote earlier, using characters that are outside of the standard ASCII for passwords is jumping head first into troubles. You have just learned something that is obvious to almost everyone living outside of the anglosphere. We are cursing all English-speaking software developers for as long as I remember. Welcome to the club.

 

[anorlunda]

If I was writing the PW software, I would prevent problems with different keyboards on different devices by transforming all typed PW characters modulo 128. If that was so, even though you think you are typing exotic symbols, they actually map back into one of the original 7 bit ASCII characters.

But on second thought, doing that without informing the users in advance would be a bad practice, so maybe the don't do it.

Nevertheless, allowing PW characters that are not universal to nearly all keyboards is also asking for trouble. What would you do with ×, ÷, ¹ if you come to a device with an old touch-tone keypad or one with no keyboard, that said, "Please spell your password out loud into the microphone" ?

 

[member 656954]

Idealism is wonderful...until you have implement it! As even your modulo thought experiment highlights.

My Dell PC does not have a ÷ key, creating what looks like a superscript 1 is a pain unless there is an icon for it (like in Word), and your × is too easy to confuse with x, so you are actually asking vendors to make problems for users by supporting uncommon chars. That introduces support load, decreases the customer experience, and complicates the code.

Ultimately, you can create a strong password using a sufficient number of symbols for your amazon.com account on any of their devices and supported platforms and complaining that every possible character combination is not supported across the board seems churlish.

 

[fluidistic]

If I was writing the PW software, I would prevent problems with different keyboards on different devices by transforming all typed PW characters modulo 128. If that was so, even though you think you are typing exotic symbols, they actually map back into one of the original 7 bit ASCII characters.

But on second thought, doing that without informing the users in advance would be a bad practice, so maybe the don't do it.

Nevertheless, allowing PW characters that are not universal to nearly all keyboards is also asking for trouble. What would you do with ×, ÷, ¹ if you come to a device with an old touch-tone keypad or one with no keyboard, that said, "Please spell your password out loud into the microphone" ?

But the Amazon case is very different from the case you describe. That company sells only specific devices without any keyboard (Kindles and other devices without keyboard, though I don't know if they can be linked to the Amazon account) and request you to type in your Amazon password to make a link to your Amazon account. They use a virtual keyboard that allows extra characters, but not the full set of characters they allow for their password and this is precisely my critics. They are at fault there, regardless of the security reachable without those few extra characters.
As said above, you do not want to actually type in your password manually. It doesn't matter whether your keyboard can produce those characters. What matters is that your password manager can output them and that they are tolerated/allowed/encouraged by Amazon. If, for some reasons, the password manager cannot be accessed on that specific device, then for heaven's sake, at least include all the allowed characters in that virtual keyboard. I mean, what does it cost to the Amazon Security developers? A 1 minute Stack Overflow search to fall over a copy/paste solution?

 

[Borek]

I mean, what does it cost to the Amazon Security developers? A 1 minute Stack Overflow search to fall over a copy/paste solution?

You first have to be aware of the existence of the problem. Anglophones aren't.

Other than that you are perfectly right

 

[member 656954]

They use a virtual keyboard that allows extra characters, but not the full set of characters they allow for their password and this is precisely my critics. They are at fault there, regardless of the security reachable without those few extra characters.

Yes they are, but it's a small crime in the scheme of things.

Most amazon.com account holders won't have a Kindle device so while it might be a "1 minute Stack Overflow search" (it won't be, but I understand your intent) the use-case applies to a limited number of customers in total, and an even smaller number who trip over this issue in actuality.

And you know, I'd vote for Amazon to put dev effort into weeding out fake reviews over aligning their password character set. I blogged about this earlier this year, because it's seriously annoying!

 

[epenguin]

What do I risk? Someone might be reading my books for free? Anything worse?

 

[anorlunda]

What do I risk? Someone might be reading my books for free? Anything worse?

If you are talking about your Amazon account login, they could use it to order stuff that is charged to your credit card.

If you tell Amazon to deliver to a new address, it requires you to re-enter the CC data. But still there could be frauds that avoid this.

When it comes to stealing money, nobody in history has figured out a certain way to prevent it.

I think you ignore other ways to make your password more secure. Rather than using exotic characters, you could use longer passwords. You could even make a PW using only the 16 hexadecimal digits 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. Just make it 128 characters long rather than 8.

 

[harborsparrow]

As for Google security, Google is now begging, urging and threatening me to make my Nest cam (which company they bought) use my Google account. I really don't like putting all my eggs in one basket, and I've avoided this until now. I expect at some point Google will force me to switch over.

OTOH, Google has better password encryption than most companies, especially after the Chinese attack on Google a few years back. Since then, they have increased their encryption key length substantially more than other companies.