Editorial: Dear Amazon, usernames and passwords exist for a reason

We interrupt our regularly scheduled Amazon Kindle Fire review for this timely editorial.

I'm really not a tinfoil hat type -- maybe a little too much on the other side of that spectrum, actually. But I'm really not crazy about how Amazon's shipping the Kindle Fire. Here's how it works: You order a Kindle Fire from Amazon, they ship it to you. You open the shipping box, and then the specially designed, "Certified frustration-free packaging" (which is pretty cool and mostly frustration-free). Unwrap the Kindle Fire, turn it on and connect to Wifi.

And find that you're already logged in, password and everything, ready to purchase books, magazines, apps and music.

This is not good.

We actually ordered two Kindle Fires for the site -- one to use and review, the other to give away to one of you fine readers. I ordered them through my personal Amazon account. Credit card and shipping info are saved, so it made sense, right?

Opened up one of the Kindle Fires (note in the picture above how it already realizes it's my "second" Kindle) and turned it on. Soon as it connected to the Internet, it started calling me by name. Well, by my Amazon name, which differs a little from what we're all used to seeing. But, hey, it knows who I am. Cool.

Wait. How the hell does it know who I am?

Is it some magic SSID database? Nope -- especially since I'd just renamed mine earlier in the day to get off the Google grid. Maybe it used the camera to recognize me? Nah.

Amazon preregistered our two Kindle Fires, sealed them in the box, then sent them on their way.

I understand that this is a convenience thing. Order the Kindle Fire on Amazon, open the box, and go. I get that. And, actually, it's a pretty interesting way to go about it. No other Android device I've ever used has made it that easy for me -- and I sign in to a lot of Android devices. It really does make for a fast, easy out-of-box experience.

But that's also the problem. It's just a little too easy.

What we'd prefer to see the first time we turn on the Kindle Fire

My credit card's attached to the account that Amazon went ahead and signed into for me. My Amazon recommendations are visible in the Web browser. Now I realize that it's pretty unlikely that my Kindle Fire will be delivered to the wrong person or fall off the back of a truck, into the hands of someone just waiting to abuse my low-limit, high APR credit card to buy a Justin Bieber album or that Steve Jobs biography. And pretty much nobody wants to see the horror show that is my Amazon recommendations list.

But it's my credit card. They're my recommendations. And I didn't sign in with my username and password.

There's another scenario here, too, apparently. Amazon's Kindle Fire help documentation has the following section:

When registering your Kindle Fire, you may see a "deregister" instead of "register" option. This means your Kindle Fire is already registered to another account. This may happen if you received your new Kindle Fire as a gift. Select "deregister" to register your Kindle Fire to your Amazon account instead.

Skip to 2:20 in this video (opens in new tab) and it really makes more sense.

So someone I know sends me a Kindle Fire, and it's already registered with their account, and I can purchase books, magazines, apps and music on it out of the box? Sweet! But, again, it's something that shouldn't happen.

There is a piece of good news here, though. When you go to the Amazon website, you'll find you're already logged in, but you'll still have to enter your password to actually make a purchase. So while you can get taken for $10 a pop with videos and music -- and for more with books -- at least someone can put you on the hook for hundreds of dollars without spending a little time first.

Look, this isn't the end of the world. If someone starts making purchases on your Kindle Fire, chances are you'll see the e-mailed receipts and raise the alarm. This is about the principle. It's my username and password that Amazon's taking the liberty of entering into a piece of hardware before it ever hits my hands. And while it certainly makes the out-of-box experience painless -- almost enjoyable, actually -- Amazon's taking liberties with my information here. It's my username and password. I should be the one to enter them.

Update: As geewhipped points out in the comments, if you properly designate the Kindle as a gift, it'll ship unregistered. Here's the official word on that: "If you purchase a Kindle, it will not be registered to your Amazon account. The recipient can register the Kindle to their own Amazon account when it arrives." So we suppose if you're really worried about this sort of thing, just mark the "This item is a gift" box. But you really shouldn't have to.

  • Amazon FAIL. What if this is a gift item? Christmas is approaching. Or someone else borrows your device on it's way to your house in delivery...
  • Amazon has been doing this FOREVER with all their Kindles. This isn't new... guess no one owns a Kindle... jeez.
  • How is the fact that they have been violating common sense for a long time any excuse for them continuing to do so? How is it they even are able to get to your password to put it on the tablet?
    Industry best practices dictate that the most they could do is reset your password. They should never be able to tell you your exiting password, and certainly they shouldn't be able to load it on a device in the fulfillment process.
  • It's called convenience... Out the box ready to go. Their real customers don't seem to be bothered by it.... AkA the average consumer... It's not that serious.
  • Most likely, they have a system that syncs your account information directly to the device before it goes out the door. It doesn't excuse it, but I doubt they load your info manually.
  • If they actually keep plaintext passwords that would be much bigger story than pre-registered Fires being shipped out to the customers. Hopefully, they don't do that -- there are few ways I can think of that device can be pre-registered and still not having your password -- think going from web page to web page without having to enter your password over and over again... somebody poking Amazon hard enough that they actually speak to that would be *really* good, though.
  • shit, that ain't cool, my recommendations will show up? that could be embarrassing.
  • Yeah, but the look on your mom's face when she gets recommendations for butt plugs, the Cheese-of-the-Month Club and a Yanni cd would be priceless!
  • Bad move by Amazon. I didn't know that you were also a fourth, Phil.
  • Wow, that's a huge bloody security hole. How'd they release a product like that?
  • Its not the product itself that's the issue ... Read the article again smart guy
  • i think this is a great feature, and its been around on kidles for a few years. a big part of the kindle experience is simplicity, and there are plenty of simple users out there purchasing e-readers or a cheap tablet. it would be nice to have a clear opt-out of this feature at purchase, but id imagine if you checked the 'this is a gift' option when checking out that you wouldnt have been signed in already. edit: http://www.androidcentral.com/baseball-root-and-poor-communication-leads...
  • Pretty sure you can unregister any Kindles you gift from your account before it arrives. More importantly, if you designate the Kindle as a gift when you buy it, it won't have your information. I took this from the Amazon site: "To send Kindle as a gift, place Kindle in your Shopping Cart and check the box next to "Add gift-wrap/note" when completing your purchase. Designating your Kindle purchase as a gift ensures that the device is not automatically registered to your Amazon.com account and prices for the Kindle purchase will not appear on the packing slip."
  • The only problem is if they get lost in the mail which has happened before your private information is compromised.
  • completely Agreed this shouldnt happen, I made an order for one, but I think I will returns it and get me a prime instead.
  • Sorry but that's moronic logic of the highest order.
  • Not really I don't like the fact that is immediately logged in and if by any chance this get lost information like credit card may be compromised, and since is an entry level tablet, might as well get a tablet that is more secured and offers more, I was planning on returning it, and security was the last thing I needed to make a decision, the prime is overall a better tablet in every category, so gl to everybody purchasing this tablet, hope everything goes well
  • Every kindle has worked this way since kindles have existed.
    It doesn't have your u/p, it is registered to your acct. The serial # is now listed under your "manage my kindle" page on amazon. if it was a gift, you can check the "this is a gift" box when you are ordering it...or if you forgot to do that, you can deregister it from your acct before the gift is opened.
  • So what? Its still wrong.
    Saying its been going on for a long time so it musy be ok is utterly short sighted and juvenile.
  • no.
    it has been going on for a long time, amazon having sold a few million kindles over the past few years, and has not been a problem for users in that time.
    *that's* what makes it "ok"
    at the Kindle Fire announcement, Bezos said it would come to you this way. If you read what you are buying, you'll see that it comes attached to your account. You'll also read that if you don't like that, you can designate it as a gift and it will not be attached. nobody was hiding this information from you.
  • This is a feature that keeps me from giving one of these to my child. I can see this tablet as a great tool for teaching/learning (and reward for very good behavior), but apparently I need to wait until the later teens when he can understand better the concepts around earning money to purchase goods, rather than giving him free reign to buy everything that pops up for "Angry Birds" in the app store. Amazon requires one-click to be enabled to use the app store, forgetting that some of use parents really want parental control.
  • For a child you can buy as a gift, (unregistered) and sign up a new amazon account with a prepaid credit card so that purchases can be controlled. Note: you can't use prepaid card to be a amazon prime member.
  • in addition to the above, there ARE parental controls in the app store
  • This is the way it has been with all kindles. If you don't mark it as a gift it shows up registered to your account. Its not anything new or different with the fire.
  • I don't see the issue, all Kindles have worked like this. You can easily go to your Amazon account and deregister your device if you want.
  • And if it falls in the wrong hands BEFORE you get it, someone can make a huge mess of your account after getting all kinds of information from it. Perhaps change the shipping address and order crap too...
  • Except you can't make any account changes without entering your username/password, exactly the same way it works if you are on their website.
  • You can deregister a Kindle BEFORE it ships. Amazon attaches the serial # to your account the moment you purchase. If you prefer to do things manually, or intend on purchasing the device as a gift, it's as simple as going to 'Mange Devices' and clicking 'Deregister'. Christ...
  • Think it should work as an opt in to putting your account info in, not an opt out as a gift option.
  • Exactly right. Thanks for your post.
    Kindle fanbois take note, the great Amazon has definitely made a fashion faux pas here. Maybe all Kindles of yore worked that way, but nobody bought them. High profile big selling products require maning up to serious security policies.
  • Except that Kindles have been huge sellers for the past several years.
  • So how do I win the Kindle Fire linked to Android Centrals Pocket Book? It is interesting to say the least that you can receive the item ready to go but it seems the process should be the other way around, where you select an option when ordering to have it ship logged in and ready to go
  • I hope I win that second Kindle Fire. All of the movies, apps, and books I ever wanted - all for free (for me).
  • Edward nickinson IV? WTF? Where did you get that name?
  • His great great grandfather gave it to his great grandfather (and since he is the fourth Nickinson to be named Edward he got the IV,) sheesh it's not complicated really. And since his Dad, Granddad, and Great Granddad go by Edward/Ed/Eddie/whatever, he chose to eliminate confusion at family gatherings by going by Phil (probably his middle name) instead.
  • Hmm...I guess I'll watch my neighbor's porch for one of his regular Amazon deliveries.
  • Releasing it with the username prepopulated would be fine, and automatically linking the device to your account is fantastic, but the password *needs* to be manually entered.
  • As others have mentioned, at purchase you should have the choice to opt-IN and have Amazon put in all your confidential information for you.
    You shouldn't have to opt-OUT of having someone else put your data in for you. Since it isn't this way, Amazon should atleast notify you at time of purchase that they do input your supposedly confidential information on the device for you ahead of time and ask whether or not you would like them to do it for you. You shouldn't have to choose the vague "gift" option when the device isn't a gift just so that you don't have someone putting your info on devices for you.... They've done the same with previous Kindles aswell and I never liked that they did this. I had a kindle lost in the mail once and purchases were made. While it was easy to have the purchases removed and deactivate the device from my account, I shouldn't have even had to go thru that to begin with.
  • You posted out of google's SSID mapping? Why?
  • Wow really Amazon? Is that all the intelligence you have to offer from your employees?
  • Sensationalize much? Amazon has been doing this with all their Kindles for years. It's called convenience. If you don't like that added convenience there's a very simple solution: deregister your device before it even ships. How do you think ppl gift Kindles or purchase them for resale? Not really rocket science...
  • Come on guys, do a little research before going all crazy. As I_Am_Incredible noted, Amazon has been doing this from day one with the regular Kindle readers.
    Also, during the ordering the Kindle process, you're asked if the purchase is a gift. If so, your account is NOT tied to the device.
  • Correct me if I'm wrong, but haven't all Kindles always shipped logged in if purchased directly from Amazon?
  • This is the dumbest editorial I have read here. Read the instructions. I am completely pleased with my Fire.
  • Really seems like much ado about nothing - as you updated, you can mark the Kindle as a "gift" and it'll ship clean and unregistered. I actually just received my Kindle Touch and since my GF bought it for me as a gift, it came registered to her because she also forgot to choose the "send as a gift" option. It literally took me one minute to go into the settings, "de-register" the kindle from her account, and then input my credentials to register it to my account. It was the same way when I got my Kindle DX in November 2009.
  • Amazed that so many people can't grasp the the simple logic that exists in the title of the article. Sure, it's not a nuclear tragedy, but you'd think that's what the article claimed by the defenders in this comment thread. I bet a cursory dig through the trash of many of these people would be an identity thief's dream come true. The coming decade will hold the tales of many lessons learned the hard way regarding personal privacy.
  • I'm not sure that I agree that this absolutely "shouldn't happen". Amazon is taking a risk. You, the purchaser of the kindle, are taking very little risk. 1) Amazon limits the amount that can be purchased on your account
    2) Amazon is going to refund any incorrect purchases
    3) You risk the disclosure of your username, but NOT your password But the other side of this is that the vast majority of the user community gets an "it just works" experience out of the box. It'd be one thing if Amazon didn't offer any way around this, but apparently they two ways to avoid this problem: You can send it as a gift and, even if you forgot to do that, you can deregister it from your account. This doesn't seem that unreasonable to me.
  • I have yet to see a review on how good the e-reader is. Is it "e-inky" like the old kindle?