AOL's Embarassing Password Woes
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog:
"Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."
This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
Not only that, it either didn't have a salt or the salt was invariant.
Oolite: Elite-like game. For Mac, Linux and Windows
Any OTHER 8 char password? "password123" is an 11 char password. Duh. How did this get past the editors? Oh, never mind.
RS
Shoes for Industry. Shoes for the Dead.
Linux and Solaris and just about every major vendor unix's "passwd" only regarded the first 8 letters of the password anyway. The whole point is the force required to break the encryption with the key length (triple DES with 8 is pretty darn good). Why the AOL scare mongering?