AOL's Embarassing Password Woes 192
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog:
"Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."
This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
No way. (Score:0, Insightful)
Re:Same as in Linux (Score:2, Insightful)
Was that a question or a statement?
No linux distro that I have used in the past 8 years hashes only the leading 8 chars of a pass phrase. Even so a strong 8 char password is still a strong password (eg: *_Jilt3d) or even better with non-printable chars.
Re:No way. (Score:5, Insightful)
This is AOL we're talkikng about... (Score:4, Insightful)
Re:Same as in Linux (Score:2, Insightful)
Re:Not alone (Score:2, Insightful)
Re:No way. (Score:3, Insightful)
Embarrassing?! (Score:3, Insightful)
Re:Its actually worse than that (Score:2, Insightful)
Re:No way. (Score:3, Insightful)
Now those are people who do not understand the way people think. Mathematicians, not psychologists.
And they are the reason social engineering works so well.
People like having one, maybe two or three passwords.
So instead of making them change passwords regularly (and do note the analogy of having to change your front door lock every two months!), make them create one relatively secure password and drill them to memorize it, never, ever reveal it to anyone and never ever write it down.
Changing passwords does not affect their crackability in any way, anyway... it is a random security layer which can close the door to someone who has already cracked the old one, in which case your security sucks anyhow.
Re:No way. (Score:2, Insightful)
Re:No way. (Score:4, Insightful)
Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.
Re:So, now we can't count? (Score:2, Insightful)
uhm. (Score:1, Insightful)
I wonder how many other people have 'older' aol accounts and haven't changed their passwords.
Re:No way. (Score:3, Insightful)
I've seen ones where they specify things like 'must be 10 characters long, contain 2 symbols, 2 numeric characters, 2 uppercase'. They don't seem to realise that they are actually *reducing* the complexity of possible passwords.
If a cracker knows that a password *will* contain, eg, 2 non-alphanumeric characters plus 2 numerals plus 2 upper case characters and the required length of the password this reduces the search space significantly.
Re:No way. (Score:2, Insightful)
Re:Nothing new (Score:1, Insightful)