Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Embarassing Password Woes

Posted by CmdrTaco on from the top-sekrit dept.

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

3 of 192 comments (clear)

  1. Re: same in the default install of solaris 10 by Anonymous Coward · · Score: 5, Informative

    Same problem in a default installation of Solaris-10 as well.

  2. Re:No way. by __aaclcg7560 · · Score: 5, Informative

    Nope. At some companies I worked for, the most common passwords are "password", "hockey" (I have no idea why), and "yousuck" (Windows machines). The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern (capital letters, lowercase letters, numbers and symbols) and minimum length (eight or more characters), must be changed every 90 days, and you can't reuse the last 500 variations of the same password based on your name.

  3. Re:Not alone by PAjamian · · Score: 5, Informative

    It's not just Solaris, here's part of /etc/login.defs on a Gentoo box:

    # Number of significant characters in the password for crypt().
    # Default is 8, don't change unless your crypt() is better.
    # Ignored if MD5_CRYPT_ENAB set to "yes".
    #
    #PASS_MAX_LEN 8

    # If set to "yes", new passwords will be encrypted using the MD5-based
    # algorithm compatible with the one used by recent releases of FreeBSD.
    # It supports passwords of unlimited length and longer salt strings.
    # Set to "no" if you need to copy encrypted passwords to other systems
    # which don't understand the new algorithm. Default is "no".
    #
    MD5_CRYPT_ENAB yes
    Old DES crypt() hashing is only significant to 8 chars on any system. That's why modern systems (including Gentoo) use MD5 hashing by default which has no limit on the length of the password to hash. Notice that MD5_CRYPT_ENAB is set to "yes" above which causes it to ignore the PASS_MAX_LEN setting.
    --
    Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.