Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Embarassing Password Woes

Posted by CmdrTaco on from the top-sekrit dept.

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

4 of 192 comments (clear)

  1. Standard crypt problem by AEton · · Score: 5, Interesting

    This is not that unusual.

    We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.

    We realized something was wrong when someone noticed that all the password hashes were the same.

    (The fix: find a new better hash function.)

    --
    We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
  2. Even better by AndrewM1 · · Score: 5, Interesting

    I can do this one better. I signed up for some game known as MapleStory a while back, submitting the password "DaedAEcarECel40s".

    I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.

    In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.

    Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...

  3. Its actually worse than that by imunfair · · Score: 5, Interesting

    It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.

    They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.

    If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway ;)

  4. Re:Not alone, Apple too by Branka96 · · Score: 5, Interesting

    Apple's OS X had the same problem until 10.3. See Apple KB article