Slashdot Mirror
AOL's Embarassing Password Woes
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog:
"Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."
This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
It's nothing new, the BT Openworld webmail system had this unique bug/feature years ago. Wonder if they've fixed it....
Solaris (up to Solaris8 anyway) has exactly the same problem, I wouldn't be surprised if its widespread on older systems.
One thing I find interesting though, way back before the internet was well known (1990 or so I think) and people paid for CompuServe or AOL or whatever, I had a CompuServe account and the original password was 'wrote*admiral' and it definatly required all letters to be correct
This is not that unusual.
We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.
We realized something was wrong when someone noticed that all the password hashes were the same.
(The fix: find a new better hash function.)
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
"Me too!" :^)
No, whats really embarrassing is mis-spelling that very word in the title of a Slashdot article
Same problem in a default installation of Solaris-10 as well.
I *still* cringe to this day when someone asks for computer help and it starts out with "Well, when I log on to my AOL..."
TLF
I do not respond to cowards. Especially anonymous ones.
I can do this one better. I signed up for some game known as MapleStory a while back, submitting the password "DaedAEcarECel40s".
I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.
In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.
Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...
I believe the original RFC for radius only looked at the first 8 characters. It would not surprise me if AOL was using a tried and proven radius solution, and never bothered to update. I'd be interested to know the results if one was to choose a long password and then
1. Log into AOL and only use the first 8 characters
2. Log into the AOL webmail and only use the first 8 characters.
This may indicate if the limitation is the sign in solution, or the entire userdb backend.
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.
;)
They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.
If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway
For random passwords, I guess 8 characters are still OK, but it's worse if you pick "smart" combinations of words and numbers, like "computers4life" or "jennifer2007". With dictionary attacks adapted for these lengths, they'd only need to check for the first 8 and it would be "computer" and "jennifer" in this case. If you further adapt the attack to only look for e.g. ratios of 4:4 with first 4 being a word and remaining 4 being random, and so on for 5:3, 6:2, 7:1, and 8:0, you also catch circumstances where users have picked passwords like "love4u2007", which would be caught in the "4:4" attack as "love" + "4u20". Maybe that's still secure enough, but this sounds a bit risky when using word passwords, even when mixing with numbers to avoid dictionary attacks, especially with this limitation.
Beware: In C++, your friends can see your privates!
I got to the University of Cincinnati in Ohio and I noticed this same problem. Anything after the first 8 digits of the password is ignored. So "lawlpewpew" is the same thing as "lawlpewpewLAZERBEAM". I emailed the IT tech support people asking them about it, but all I got in reply was some default, automated response. In the end, they didn't do anything to fix it either.
Nope. At some companies I worked for, the most common passwords are "password", "hockey" (I have no idea why), and "yousuck" (Windows machines). The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern (capital letters, lowercase letters, numbers and symbols) and minimum length (eight or more characters), must be changed every 90 days, and you can't reuse the last 500 variations of the same password based on your name.
Apple's OS X had the same problem until 10.3. See Apple KB article
> So that's the same as in most (all?) Linux distributions by default.
Was that a question or a statement?
No linux distro that I have used in the past 8 years hashes only the leading 8 chars of a pass phrase. Even so a strong 8 char password is still a strong password (eg: *_Jilt3d) or even better with non-printable chars.
... thus pretty much ensuring that you write it down.
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
Do you really think the type of people who use AOL would use a password longer than eight characters anyway?
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
Given that I saw exactly this behaviour on a Solaris 8 install at work a few months ago, no, I completely believe it.
Of course, *then* I was shocked...
It's official. Most of you are morons.
At a certain university, this was also the case.
The flaw in question seemed to apply only to a web mail client which they are in the process of phasing out in favor of an open source solution, which is pretty interesting because it's the first I've seen which has support for S/MIME.
Presumably, the older system will be brought off line soon, as the flaw has been known for some time.
When signing on in front of people who didn't know about the flaw, it was fun to make them think you had a password in excess of thirty characters.
Too busy staying alive... ~ R.A.
NT4 broke a 16 character password and separately hashed the first and second parts so you could attack them separately. This is why passwords > 8 characters were recommended. Better than TFA, and (thankfully) fixed in NT5.
Worth remembering if you still have any NT4 servers in production.
The latest AIX 5.3 has this same stupid limitation too. It's driving us nuts at work cause we authenticate to Active Directory which supports long passwords, but AIX only cares about the first 8. Ridiculous.. We had to purchase SpecOps and force AD to limit to max of 8 so that users would be forced to have a unique password everytime. We contacted IBM and they said they had no plans on fixing this.
I believe I encountered this last year when I was trying to set my wife's AIM account up on her iChat client. She has been typing the long version of her pass into the AIM client, which apparently wasn't reading past those first 8 characters. When we tried it in the iChat client, it kept spitting it back out as being incorrect. We eventually had to change her pass to a shorter one to get it to work.
So that's the same as in most (all?) Linux distributions by default.
Not since some time around 2000 when all of the major distributions switched from DES to MD5 authentication. Some major Unix vendors do still have the issue, though.
AOL management must make the same assumptions about AOL hackers that the rest of us do about AOL users.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
90 days? What luxury. Ours is every 30 days. Grrr...
At school, back in 1998, every Linux distro we installed used to have that limitation, a limitation in the encryption routine, and a rationale something like a longer password being easier to crack. It would not surprise me if AOL were still using Slackware 2.0 ;-)
It changes authentication from something you know to something you have.
Reminds me of that Mitch Hedberg joke:
"You know when a company wants to use letters in their phone number, but often they'll use too many letters? 'Call 1-800-I-Really-Enjoy-Brand-New-Carpeting.' Too many letters, man, must I dial them all? 'Hello? Hold on, man, I'm only on "Enjoy." How did you know I was calling? You're good, I can see why they hired you!'"
RIP Mitch
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Don't you mean they look weird with Caps Lock off? ;-)
-=This sig has nothing to do with my comment. Move along now=-
Unselfish actions pay back better
First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.
n cid=AOLAOF00020000000602
:)
br/>
A few test cases to pay attention to:
1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&
Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.
What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.
They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.
Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?
These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.
Chew on that. Steven
What exactly about AOL isn't embarrassing?
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
Well, a strong 8 char password cannot be "relying on the part after the eighth character to make it strong", as it only has 8 characters.
MySpace has this same defect/error/bug/"feature for the young memory deficient" as well... Their passwords aren't case sensitive and only read X characters no matter how many you type... And you wonder why people are always being phished/hacked...
Now those are people who do not understand the way people think. Mathematicians, not psychologists.
And they are the reason social engineering works so well.
People like having one, maybe two or three passwords.
So instead of making them change passwords regularly (and do note the analogy of having to change your front door lock every two months!), make them create one relatively secure password and drill them to memorize it, never, ever reveal it to anyone and never ever write it down.
Changing passwords does not affect their crackability in any way, anyway... it is a random security layer which can close the door to someone who has already cracked the old one, in which case your security sucks anyhow.
Ignore this signature. By order.
Something you have on a post-it note, stuck to your desk underneath your keyboard.
I wish someone would fix that issue in VNC so that it required more than eight characters. That seems especially bad and worth fixing, but nobody has done it yet.
Please, if the slashdot community is going to complain about how stupid password limits are, can someone fix the open source projects that have the same issue so that we can't point and laugh at that too?
Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.
No, what I mean is it doesn't matter, since I usually read Slashdot from a csh session running Lynx on my Lear-Siegler ADM3, which has it's dip switches set to force everything to ALL CAPS all the time.
Today, of course, I'm on the Silent 700 terminal and cursing everbody with those paper-wasting SIGs in their comments.
You're an idiot. 'password', the eight-character segment that actually counts, is extremely common.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
Hello, this is AOL tech support... we have lost our database for user names, your account will not function unless you give us your account name and the first 8 letters of your password for confirmation... Maybe I'll ask for credit cards too...
lol: You see no door there!
If you want a secure 8-character password, use something like, which yielded, b&9y@)HN just now. Humans are lousy password pickers, because we automatically patternize everything we see or create.
or better yet, tell strings to pick out 8-bit characters, too and get something like:
although that and non-printable are probably not the greatest of ideas, because they're usually non-typable (or at best typrobatic) too.
Can you be Even More Awesome?!
Any obvious 8 character password [plus arbitrary crap]. Please notice that 'password' is 8 characters. Are you really so dense or just picking nit?
Patents Drive Free Software as Hurricanes Drive Construction Industry
Official versions of VNC from AT&T and later RealVNC had similar password limitations, though I can't remember if it was 7 or 8 characters. All I know is that it gave me a good reason to switch to UltraVNC, which used the native login API on whatever OS it was running.
I've had an aol account since the mid ninties, I don't really use it anymore, but the password's only 4 characters.
I wonder how many other people have 'older' aol accounts and haven't changed their passwords.
Humans are also very bad at remembering random strings, so no, don't use the shell script posted in the parent, as it will lead to a password you'll have to write down, or will use for everything and never change. Use combinations of words and special characters, like "&URA*2me" or some such thing.
Amazing! I keep mine in the same spot!!!
A password that contains lower and uppercase alpha, numeric and punctuation chars is considered strong.
1337ing words doesn't count though. It's probably good enough for almost anything, but not good enough to stop a determined hacker.
Any auth system that doesn't set off alarms when some script kid is trying to brute force it is a joke.
Doesn't help if it's an offline attack.
Non-printable chars are security by obscurity, a good idea for OS logins only because script kids often don't think to check for them.
Non-printable chars also increase the key space.
Secondly, security by obscurity isn't a bad thing. It's tossed around as if it's worthless, but it's not. You just can't rely on said security for your whole system.
But I'm not sure non-printables are worth the hassle. I set my Unix password to something with an escape once, but just had to go and change it because when I typed it into the password box in the SSH client that I use, esc acts as cancel.
There are many other service providers that have this stupidity. Like in India we have SIFY NET which is having same problem, its reads only first 8 chars of password.
Under the keyboard? That's a rarity, mostly they seem to be stuck to the monitor.
The attacker still has to brute force the passphrase and any sane security policy will detect the attack.
True, but that's also the same if you don't replace characters. If you do your typical 1337 substitutions (e.g. e->3), you just need to do a more sophisticated dictionary attack. Probably increases the keyspace by a couple dozen times at most.
Matt Bishop gives a list of passwords that are easy to guess, at least for an offline attack; it includes "dictionary words with some or all letters capitalized" and "dictionary words with any of the following changes: a->2, e->3, h->4, i->1, l->1, o->0, s->5 or $, z->5"
True but increasing password length by 4 chars is stronger.
Agreed, but if you're on a system that limits you to, say, 8 characters, you don't have much choice. (Like, say, the Penn State CS dept, at least as of a couple years ago.)
A comment on the article page says Amazon has this crappy truncating problem too...can anyone verify this?
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
This is not so bad If you keep it in a safe place you would immediatly notice missing... I keep mine (while I'm learning it anyways) in a special place in my wallet, and my wallet is nearly always on my person (or nearby)
The problem is postit-syndrome.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Old text adventure games were often like this. You'd type in an entire sentence, but the computer would only look at the first three letters of the first two words. I remember using "drink white paint" to drink the whiskey. (This was back when the final resting place of outdated computer games was not the $10 bargain bin, but rather having the entire source printed in a computer games magazine so people could type it into their Apple II.)
I think that Infocom, being the class act of text adventures, didn't suffer this "feature".
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern
I've seen ones where they specify things like 'must be 10 characters long, contain 2 symbols, 2 numeric characters, 2 uppercase'. They don't seem to realise that they are actually *reducing* the complexity of possible passwords.
If a cracker knows that a password *will* contain, eg, 2 non-alphanumeric characters plus 2 numerals plus 2 upper case characters and the required length of the password this reduces the search space significantly.
In the free world the media isn't government run; the government is media run.
I just don't think dictionary attacks are viable when there's unrelated non alpha numeric chars in the pass phrase.
I agree there, at least if it's not something predictable like a couple numbers at the end of a dictionary word.
LOL, back in the day, like 6th grade, my friend came up with a brilliant password. "Just use password!" he said, it's so obvious, no one will ever guess! Gone are those idealistic times...
Also, I double checked - at least ./ isn't case sensitive :)
Real VNC 4 has this same problem. One of my clients uses it and set the password to a 12 key entry, with uppercase, lowercase, numbers, and a special character. Too bad most of his non-alphas were at the end...
With MySpace you can have a password such as "Password123*&%". To login, you only need to use "Password123". Obviously their system does not recognize the extended characters at the end?
Kickass Cheap Web Hosting
Anyone else having a hard time believing this?
.. woot, logged in.
No. I just tried this on my work's development Solaris machine, as another poster suggested. Typed in the first 8 characters of my password then a whole lot of random junk
Nothing see here, move along.
Me too. I put a mini Post-it on the back of my driver's license on the 90-day interval. It takes about 3 days to move the "finger burn in" from my old password to the new one. When the Windows domain gives me my 14 day warning, I always try to do it on a Monday or Tuesday.
At least it's a serious upgrade from the 6-character passwords AOL used to limit their users to.
"Those who think they know everything are of great annoyance to those of us who do." - Isaac Asimov
And in OS/400, passwords aren't case-sensitive. Nothing like reducing your search space dramatically!
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I find that picking out just something around the desk and using it's serial number (or some other long sequence of random letters and numbers) as your password, you'll never forget it as long as you know what thing its on. Not so good, however, is when someone notices that you're looking at the back of your computer speakers everytime you log on.
The problem with having one good password is that it's essentially putting all your eggs in one basket. If your password is cracked in one place, then it can be used in other places. If my slashdot password is compromised, and I use the same username/password for my banking, I'll be sorry.
The other problem is with revealing passwords. I know you said never to reveal it to anyone, but everyone must reveal their password at some point. I say this because anywhere that you input your password is revealing it to a computer, which is operated by someone. Do you know how safe a site keeps your password? Take Slashdot for example: Do you know how they store their passwords? I don't, and use a less secure password for here than usual.
The method I use is to have different levels of passwords that I know. For secure sites, such as banking, or trusted online merchants, I have a high level password. For my e-mail accounts and work purposes, I have a medium level one. For message boards and other "junk" sites (yes, slashdot), I have a low level password. They are all secure passwords, don't get me wrong, but I use different ones for different purposes. I find that it works well. If I am logging into a site that I'm not sure if I can trust, I'll use a junk password, write it down, and if I later decide to trust that site, I change it to one of my main passwords. I took that idea from someone on the internet, perhaps here on slashdot, and it's worked well since then. It sure beats when I was in high school and used my girlfriend's name for everything. If I did that now, I'd just have a blank password.
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
A better solution is to pick an easy to remember phrase or quote, take the first letter of each word and then jig it around a bit.
An example of this would be taking the line "Dulce et decorum est pro patria mori" from Wilred Owen's poem. This could be converted into the password Ded&ppM!
As long as you pick a memorable phrase and you use semi-intelligent substitution for non-alphanumeric character, you will have a strong password that is resistant to dictionary attacks and easy to remember.
People still use AOL? For heaven's sake, why?
cp /dev/zero ~/signature.txt
Do you really think the type of people who use AOL would use a password longer than eight characters anyway?
Sure, plenty of folks have dogs with names longer than 8 characters.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
i don't know about you but the first 8 letters of my linux password don't get me anywhere. it has to be typed in completely
Oh Crap, I'm an optimist.....
I do something similar.
For systems that I access regularly (at least 2 times per week) that need a secure password, I make up a long one and memorize it. I find that I can memorize and track about 6 of those. These passwords are either login passwords or ones that protect my GPG or SSH2 keys. Basically those 6-12 passwords are the keys to my kingdom and the only ones I memorize.
For systems that I don't hit regularly, and don't need access to them from random locations or on a minute's notice while away from my desk - they get protected by my GPG key. I create a text file with a GPG encrypted block inside that contains the password. Easy to backup, printable, faxable, post them around town, etc. As long as I have my GPG keys, I can retrieve those passwords.
Websites? Same deal. I create a random password (different for each site) and have Firefox memorize it (as well as storing it in a GPG protected text file). After all, if I'm locked out of a forum for a day or two until I can get back to my laptop - who cares? I'd be hard-pressed to tell you what my slashdot password is, I'd have to go decrypt that GPG block first.
It also helps to have a good little password generator. Something with around 300k+ words where you can tell it how jumbled up to make things along with length, random symbols, random capitalization and insertion of numbers or letters in the middle. Whatever you use needs to be quickly accessible for times when you need a random password.
Wolde you bothe eate your cake, and have your cake?
The quote:
This means that a user who uses "password123" or any other obvious eight-character password
note that there is no reference to a section THAT COUNTS, the entire password "password123" was in QUOTES, as in "password123", and therefore, as it is the SECTION IN QUOTES that was emphasized by the author, indicates that the password in question is "password123" not "password". And it doesn't take a degree in math to note that "password123" is 11 characters long.
Think twice before you post. Once would be an improvement.
RS
Shoes for Industry. Shoes for the Dead.
I keep mine in my luggage.
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
Why the hell is AOL not outsourcing their job...Its better they dont do it....Its just too sad