Slashdot Mirror


AOL's Embarassing Password Woes

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

3 of 192 comments (clear)

  1. Re:Standard crypt problem by Alioth · · Score: 1, Redundant

    Not only that, it either didn't have a salt or the salt was invariant.

  2. So, now we can't count? by Ralph+Spoilsport · · Score: -1, Redundant
    This means that a user who uses "password123" or any other obvious eight-character password

    Any OTHER 8 char password? "password123" is an 11 char password. Duh. How did this get past the editors? Oh, never mind.

    RS

    --
    Shoes for Industry. Shoes for the Dead.
  3. So? They're not alone by Anonymous Coward · · Score: -1, Redundant

    Linux and Solaris and just about every major vendor unix's "passwd" only regarded the first 8 letters of the password anyway. The whole point is the force required to break the encryption with the key length (triple DES with 8 is pretty darn good). Why the AOL scare mongering?