Slashdot Mirror
AOL's Embarassing Password Woes
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog:
"Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."
This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
Solaris (up to Solaris8 anyway) has exactly the same problem, I wouldn't be surprised if its widespread on older systems.
One thing I find interesting though, way back before the internet was well known (1990 or so I think) and people paid for CompuServe or AOL or whatever, I had a CompuServe account and the original password was 'wrote*admiral' and it definatly required all letters to be correct
No, whats really embarrassing is mis-spelling that very word in the title of a Slashdot article
Same problem in a default installation of Solaris-10 as well.
For random passwords, I guess 8 characters are still OK, but it's worse if you pick "smart" combinations of words and numbers, like "computers4life" or "jennifer2007". With dictionary attacks adapted for these lengths, they'd only need to check for the first 8 and it would be "computer" and "jennifer" in this case. If you further adapt the attack to only look for e.g. ratios of 4:4 with first 4 being a word and remaining 4 being random, and so on for 5:3, 6:2, 7:1, and 8:0, you also catch circumstances where users have picked passwords like "love4u2007", which would be caught in the "4:4" attack as "love" + "4u20". Maybe that's still secure enough, but this sounds a bit risky when using word passwords, even when mixing with numbers to avoid dictionary attacks, especially with this limitation.
Beware: In C++, your friends can see your privates!
Nope. At some companies I worked for, the most common passwords are "password", "hockey" (I have no idea why), and "yousuck" (Windows machines). The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern (capital letters, lowercase letters, numbers and symbols) and minimum length (eight or more characters), must be changed every 90 days, and you can't reuse the last 500 variations of the same password based on your name.
NT4 broke a 16 character password and separately hashed the first and second parts so you could attack them separately. This is why passwords > 8 characters were recommended. Better than TFA, and (thankfully) fixed in NT5.
Worth remembering if you still have any NT4 servers in production.
I believe I encountered this last year when I was trying to set my wife's AIM account up on her iChat client. She has been typing the long version of her pass into the AIM client, which apparently wasn't reading past those first 8 characters. When we tried it in the iChat client, it kept spitting it back out as being incorrect. We eventually had to change her pass to a shorter one to get it to work.
So that's the same as in most (all?) Linux distributions by default.
Not since some time around 2000 when all of the major distributions switched from DES to MD5 authentication. Some major Unix vendors do still have the issue, though.
First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.
n cid=AOLAOF00020000000602
:)
br/>
A few test cases to pay attention to:
1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&
Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.
What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.
They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.
Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?
These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.
Chew on that. Steven
My AOL password happens to be exactly 8 characters long. When I tried salting it with asdf afterwards, the OS X AOL client (which I havn't opened in a year, mind you :-) will not accept characters after the 8th.
2. Log into the AOL webmail and only use the first 8 characters.In this case, salting with asdfasdfasdf results in an error saying the password must be 16 characters or less, so salting it with asdfasdf (making the attempted password exactly 16 characters) I'm still allowed to log in, even though my true password doesn't contain the asdf's, and is only 8 characters long.
Slackware still doesn't have PAM, thank god, but does use MD5 by default.
MySpace has that issue as well, past 10 characters. If you go to their signup screen, you can sign up with a longer password, but if you go to the secondary login screen, it will stop typing either after 10 or 12 characters.
War isn't about who's right. It's about who's left.
Real VNC 4 has this same problem. One of my clients uses it and set the password to a 12 key entry, with uppercase, lowercase, numbers, and a special character. Too bad most of his non-alphas were at the end...
Demon Internet in the UK were like that back in 1994 when I signed up. I had some issues and changed the password. I'd come up with this long obtuse password and he said "Oh don't worry, it only reads the first 8 characters anyway."
So I dumped the convoluted password and went with something with 8 characters.
With MySpace you can have a password such as "Password123*&%". To login, you only need to use "Password123". Obviously their system does not recognize the extended characters at the end?
Kickass Cheap Web Hosting