Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Embarassing Password Woes

Posted by CmdrTaco on from the top-sekrit dept.

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

8 of 192 comments (clear)

  1. Standard crypt problem by AEton · · Score: 5, Interesting

    This is not that unusual.

    We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.

    We realized something was wrong when someone noticed that all the password hashes were the same.

    (The fix: find a new better hash function.)

    --
    We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
  2. Re: same in the default install of solaris 10 by Anonymous Coward · · Score: 5, Informative

    Same problem in a default installation of Solaris-10 as well.

  3. Even better by AndrewM1 · · Score: 5, Interesting

    I can do this one better. I signed up for some game known as MapleStory a while back, submitting the password "DaedAEcarECel40s".

    I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.

    In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.

    Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...

  4. Its actually worse than that by imunfair · · Score: 5, Interesting

    It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.

    They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.

    If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway ;)

  5. Re:No way. by __aaclcg7560 · · Score: 5, Informative

    Nope. At some companies I worked for, the most common passwords are "password", "hockey" (I have no idea why), and "yousuck" (Windows machines). The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern (capital letters, lowercase letters, numbers and symbols) and minimum length (eight or more characters), must be changed every 90 days, and you can't reuse the last 500 variations of the same password based on your name.

  6. Re:Not alone, Apple too by Branka96 · · Score: 5, Interesting

    Apple's OS X had the same problem until 10.3. See Apple KB article

  7. Re:Not alone by PAjamian · · Score: 5, Informative

    It's not just Solaris, here's part of /etc/login.defs on a Gentoo box:

    # Number of significant characters in the password for crypt().
    # Default is 8, don't change unless your crypt() is better.
    # Ignored if MD5_CRYPT_ENAB set to "yes".
    #
    #PASS_MAX_LEN 8

    # If set to "yes", new passwords will be encrypted using the MD5-based
    # algorithm compatible with the one used by recent releases of FreeBSD.
    # It supports passwords of unlimited length and longer salt strings.
    # Set to "no" if you need to copy encrypted passwords to other systems
    # which don't understand the new algorithm. Default is "no".
    #
    MD5_CRYPT_ENAB yes
    Old DES crypt() hashing is only significant to 8 chars on any system. That's why modern systems (including Gentoo) use MD5 hashing by default which has no limit on the length of the password to hash. Notice that MD5_CRYPT_ENAB is set to "yes" above which causes it to ignore the PASS_MAX_LEN setting.
    --
    Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
  8. Mitch Hedberg by Himring · · Score: 5, Funny

    Reminds me of that Mitch Hedberg joke:

    "You know when a company wants to use letters in their phone number, but often they'll use too many letters? 'Call 1-800-I-Really-Enjoy-Brand-New-Carpeting.' Too many letters, man, must I dial them all? 'Hello? Hold on, man, I'm only on "Enjoy." How did you know I was calling? You're good, I can see why they hired you!'"

    RIP Mitch

    --
    "All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill