AOL's Embarassing Password Woes 192
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog:
"Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."
This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
Not alone (Score:5, Informative)
One thing I find interesting though, way back before the internet was well known (1990 or so I think) and people paid for CompuServe or AOL or whatever, I had a CompuServe account and the original password was 'wrote*admiral' and it definatly required all letters to be correct
Spelling (Score:2, Informative)
Re: same in the default install of solaris 10 (Score:5, Informative)
Worse than it sounds? (Score:3, Informative)
Re:No way. (Score:5, Informative)
Ditto NT4. Sort of. (Score:2, Informative)
Worth remembering if you still have any NT4 servers in production.
Re:Not alone (Score:5, Informative)
Re:Not alone (Score:3, Informative)
Re:Not alone (Score:5, Informative)
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
MD5_CRYPT_ENAB yes
Re:Not alone (Score:4, Informative)
#
#PASS_MAX_LEN 8
MD5_CRYPT_ENAB yes
@yg
Found this last year. (Score:2, Informative)
Re:Same as in Linux (Score:3, Informative)
Not since some time around 2000 when all of the major distributions switched from DES to MD5 authentication. Some major Unix vendors do still have the issue, though.
Re:Ditto NT4. Sort of. (Score:5, Informative)
The Lanmanager hashing system breaks the password up into two 7-char sized chunks, converts them to upper case, and hashes each separately, and XP still uses Lanmanager hashes if you don't explicitly tell it not to (by changing a registry setting).
The first 14 characters are still used in Lanmanager hashes though, so this is only a security hole if the attacker can access the hashes.
Flat Out Wrong - Read (Score:5, Informative)
br/>
A few test cases to pay attention to:
1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&
Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.
What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.
They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.
Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?
These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.
Chew on that. Steven
Re:Radius? (Score:2, Informative)
My AOL password happens to be exactly 8 characters long. When I tried salting it with asdf afterwards, the OS X AOL client (which I havn't opened in a year, mind you :-) will not accept characters after the 8th.
In this case, salting with asdfasdfasdf results in an error saying the password must be 16 characters or less, so salting it with asdfasdf (making the attempted password exactly 16 characters) I'm still allowed to log in, even though my true password doesn't contain the asdf's, and is only 8 characters long.
Re:Not alone (Score:2, Informative)
Re:Not alone (Score:3, Informative)
Re:Ditto NT4. Sort of. (Score:0, Informative)
Re:AOL should upgrade their Linux servers (Score:2, Informative)
Re:Nothing new (Score:4, Informative)
Real VNC 4 (Score:2, Informative)
Re:Nothing new (Score:2, Informative)
So I dumped the convoluted password and went with something with 8 characters.
Similar problem with MySpace (Score:1, Informative)