Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Embarassing Password Woes

Posted by CmdrTaco on from the top-sekrit dept.

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

21 of 192 comments (clear)

  1. Nothing new by Anonymous Coward · · Score: 4, Interesting

    It's nothing new, the BT Openworld webmail system had this unique bug/feature years ago. Wonder if they've fixed it....

  2. Not alone by bsane · · Score: 4, Informative

    Solaris (up to Solaris8 anyway) has exactly the same problem, I wouldn't be surprised if its widespread on older systems.

    One thing I find interesting though, way back before the internet was well known (1990 or so I think) and people paid for CompuServe or AOL or whatever, I had a CompuServe account and the original password was 'wrote*admiral' and it definatly required all letters to be correct

    1. Re:Not alone by TheRaven64 · · Score: 4, Informative

      I don't know about Gentoo specifically, but on most *NIX systems the convention is to put the default values in the example config file, commented out. This shows the user what the defaults are, and shows that they don't need to be explicitly stated.

      --
      I am TheRaven on Soylent News
    2. Re:Not alone by PAjamian · · Score: 5, Informative

      It's not just Solaris, here's part of /etc/login.defs on a Gentoo box:

      # Number of significant characters in the password for crypt().
      # Default is 8, don't change unless your crypt() is better.
      # Ignored if MD5_CRYPT_ENAB set to "yes".
      #
      #PASS_MAX_LEN 8

      # If set to "yes", new passwords will be encrypted using the MD5-based
      # algorithm compatible with the one used by recent releases of FreeBSD.
      # It supports passwords of unlimited length and longer salt strings.
      # Set to "no" if you need to copy encrypted passwords to other systems
      # which don't understand the new algorithm. Default is "no".
      #
      MD5_CRYPT_ENAB yes
      Old DES crypt() hashing is only significant to 8 chars on any system. That's why modern systems (including Gentoo) use MD5 hashing by default which has no limit on the length of the password to hash. Notice that MD5_CRYPT_ENAB is set to "yes" above which causes it to ignore the PASS_MAX_LEN setting.
      --
      Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
    3. Re:Not alone by Cygfrydd · · Score: 4, Informative

      # Ignored if MD5_CRYPT_ENAB set to "yes".
      #
      #PASS_MAX_LEN 8
      ...
      MD5_CRYPT_ENAB yes       ... which seems to indicate that the default behaviour is to ignore the password length cap altogether.

      @yg
  3. Standard crypt problem by AEton · · Score: 5, Interesting

    This is not that unusual.

    We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.

    We realized something was wrong when someone noticed that all the password hashes were the same.

    (The fix: find a new better hash function.)

    --
    We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
  4. Re: same in the default install of solaris 10 by Anonymous Coward · · Score: 5, Informative

    Same problem in a default installation of Solaris-10 as well.

  5. Ahh fixed the summary... by The+Living+Fractal · · Score: 4, Funny

    Well, it turns out that when someone signs up for an AOL.com account, the user has sold their digital soul to Satan.


    I *still* cringe to this day when someone asks for computer help and it starts out with "Well, when I log on to my AOL..."

    TLF
    --
    I do not respond to cowards. Especially anonymous ones.
  6. Even better by AndrewM1 · · Score: 5, Interesting

    I can do this one better. I signed up for some game known as MapleStory a while back, submitting the password "DaedAEcarECel40s".

    I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.

    In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.

    Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...

  7. Its actually worse than that by imunfair · · Score: 5, Interesting

    It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.

    They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.

    If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway ;)

  8. Re:No way. by __aaclcg7560 · · Score: 5, Informative

    Nope. At some companies I worked for, the most common passwords are "password", "hockey" (I have no idea why), and "yousuck" (Windows machines). The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern (capital letters, lowercase letters, numbers and symbols) and minimum length (eight or more characters), must be changed every 90 days, and you can't reuse the last 500 variations of the same password based on your name.

  9. Re:Not alone, Apple too by Branka96 · · Score: 5, Interesting

    Apple's OS X had the same problem until 10.3. See Apple KB article

  10. Re:No way. by Bastard+of+Subhumani · · Score: 4, Insightful

    ... thus pretty much ensuring that you write it down.

    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  11. This is AOL we're talkikng about... by ZeldorBlat · · Score: 4, Insightful

    Do you really think the type of people who use AOL would use a password longer than eight characters anyway?

  12. Re:That's YOUR password? by Jim+Hall · · Score: 4, Funny

    That's ok, I logged in and changed it for you. :-)

  13. AIX by Sp00nMan · · Score: 4, Interesting

    The latest AIX 5.3 has this same stupid limitation too. It's driving us nuts at work cause we authenticate to Active Directory which supports long passwords, but AIX only cares about the first 8. Ridiculous.. We had to purchase SpecOps and force AD to limit to max of 8 so that users would be forced to have a unique password everytime. We contacted IBM and they said they had no plans on fixing this.

  14. Mitch Hedberg by Himring · · Score: 5, Funny

    Reminds me of that Mitch Hedberg joke:

    "You know when a company wants to use letters in their phone number, but often they'll use too many letters? 'Call 1-800-I-Really-Enjoy-Brand-New-Carpeting.' Too many letters, man, must I dial them all? 'Hello? Hold on, man, I'm only on "Enjoy." How did you know I was calling? You're good, I can see why they hired you!'"

    RIP Mitch

    --
    "All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
  15. Re:Spelling by Hebbinator · · Score: 4, Funny

    Gotta get a spell check.

    I spent all day yesterday giggling at "eLfavirenz" (its efavirenz- no L). While HIV/AIDS is far from a humorous disease, images of brazilian midgets with big ears and curl-toed shoes sneaking around with big bottles of pirated protease inhibitors kept jumping in my head.

    For a second treat, google ELFavirenz and see the 260+ web sites that took the exact same text and put it up after /.'s error!

  16. Re:Ditto NT4. Sort of. by kestasjk · · Score: 4, Informative

    I think you've mixed something up.

    The Lanmanager hashing system breaks the password up into two 7-char sized chunks, converts them to upper case, and hashes each separately, and XP still uses Lanmanager hashes if you don't explicitly tell it not to (by changing a registry setting).

    The first 14 characters are still used in Lanmanager hashes though, so this is only a security hole if the attacker can access the hashes.

    --
    // MD_Update(&m,buf,j);
  17. Flat Out Wrong - Read by madsheep · · Score: 4, Informative

    First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.

    br/>
    A few test cases to pay attention to:

    1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&n cid=AOLAOF00020000000602

    Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.

    What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.

    They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.

    Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?

    These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.

     Chew on that. Steven :)

  18. Re:No way. by General+Wesc · · Score: 4, Insightful
    I used to tell people not to write down their passwords, but after dealing with people losing their passwords all the time, I changed my tune. I think this makes a good point. There are some passwords I won't write down, but if I can carry hundreds of dollars, keys to my house and car, and credit cards with over a total credit line over 10 000USD in my pocket.

    Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.