Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Embarassing Password Woes

Posted by CmdrTaco on from the top-sekrit dept.

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

17 of 192 comments (clear)

  1. No way. by Anonymous Coward · · Score: 0, Insightful

    Anyone else having a hard time believing this?

    1. Re:No way. by Bastard+of+Subhumani · · Score: 4, Insightful

      ... thus pretty much ensuring that you write it down.

      --
      Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
    2. Re:No way. by thogard · · Score: 3, Insightful

      It changes authentication from something you know to something you have.

    3. Re:No way. by cp.tar · · Score: 2, Insightful

      Now those are people who do not understand the way people think. Mathematicians, not psychologists.

      And they are the reason social engineering works so well.

      People like having one, maybe two or three passwords.
      So instead of making them change passwords regularly (and do note the analogy of having to change your front door lock every two months!), make them create one relatively secure password and drill them to memorize it, never, ever reveal it to anyone and never ever write it down.

      Changing passwords does not affect their crackability in any way, anyway... it is a random security layer which can close the door to someone who has already cracked the old one, in which case your security sucks anyhow.

      --
      Ignore this signature. By order.
    4. Re:No way. by that+this+is+not+und · · Score: 2, Insightful

      Something you have on a post-it note, stuck to your desk underneath your keyboard.

    5. Re:No way. by General+Wesc · · Score: 4, Insightful
      I used to tell people not to write down their passwords, but after dealing with people losing their passwords all the time, I changed my tune. I think this makes a good point. There are some passwords I won't write down, but if I can carry hundreds of dollars, keys to my house and car, and credit cards with over a total credit line over 10 000USD in my pocket.

      Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.

    6. Re:No way. by myowntrueself · · Score: 2, Insightful

      The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern

      I've seen ones where they specify things like 'must be 10 characters long, contain 2 symbols, 2 numeric characters, 2 uppercase'. They don't seem to realise that they are actually *reducing* the complexity of possible passwords.

      If a cracker knows that a password *will* contain, eg, 2 non-alphanumeric characters plus 2 numerals plus 2 upper case characters and the required length of the password this reduces the search space significantly.

      --
      In the free world the media isn't government run; the government is media run.
    7. Re:No way. by Mr+Jazzizle · · Score: 2, Insightful

      I find that picking out just something around the desk and using it's serial number (or some other long sequence of random letters and numbers) as your password, you'll never forget it as long as you know what thing its on. Not so good, however, is when someone notices that you're looking at the back of your computer speakers everytime you log on.

  2. Re:Same as in Linux by Anonymous Coward · · Score: 2, Insightful

    > So that's the same as in most (all?) Linux distributions by default.

    Was that a question or a statement?

    No linux distro that I have used in the past 8 years hashes only the leading 8 chars of a pass phrase. Even so a strong 8 char password is still a strong password (eg: *_Jilt3d) or even better with non-printable chars.

  3. This is AOL we're talkikng about... by ZeldorBlat · · Score: 4, Insightful

    Do you really think the type of people who use AOL would use a password longer than eight characters anyway?

  4. Re:Same as in Linux by Bastard+of+Subhumani · · Score: 1, Insightful

    Even so a strong 8 char password is still a strong password (eg: *_Jilt3d)
    It isn't if you're relying on the part after the eighth character to make it strong and the system is silently ignoring that part.
    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  5. Re:Not alone by Cygfrydd · · Score: 2, Insightful

    #PASS_MAX_LEN 8 Perhaps it's just me, but isn't that commented... meaning, the entire length of the password is hashed, and thus, significant?
  6. Embarrassing?! by morari · · Score: 3, Insightful

    What exactly about AOL isn't embarrassing?

    --
    "He who can destroy a thing, controls a thing." --Paul Atreides, Dune
  7. Re:Its actually worse than that by bot24 · · Score: 2, Insightful

    The stored password in the registry cannot be a hash unless the authentication system on the remote end will accept the hash in place of the actual password, which is only marginally better than storing the password in plain text. Without some keychain system, the password cannot be encrypted and then decrypted again unless the decryption key is accessible to the user or the key is stored on the server, meaning that you only need the "encrypted" password to authenticate yourself. Depending on how the password is encrypted, the new password storage system could be worse than the old one.

  8. Re:So, now we can't count? by FishWithAHammer · · Score: 2, Insightful

    You're an idiot. 'password', the eight-character segment that actually counts, is extremely common.

    --
    "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
  9. uhm. by Anonymous Coward · · Score: 1, Insightful

    I've had an aol account since the mid ninties, I don't really use it anymore, but the password's only 4 characters.

    I wonder how many other people have 'older' aol accounts and haven't changed their passwords.

  10. Re:Nothing new by Anonymous Coward · · Score: 1, Insightful

    I supose these idiots have never heard of hashing. Then this sort of weakness would have been a non-issue, even if their systems didn't read past the first half of the hash output.