AOL's Embarassing Password Woes

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

No way.

[Anonymous Coward]

Anyone else having a hard time believing this?

Re:Same as in Linux

[Anonymous Coward]

> So that's the same as in most (all?) Linux distributions by default.

Was that a question or a statement?

No linux distro that I have used in the past 8 years hashes only the leading 8 chars of a pass phrase. Even so a strong 8 char password is still a strong password (eg: *_Jilt3d) or even better with non-printable chars.

Re:No way.

[Bastard of Subhumani]

... thus pretty much ensuring that you write it down.

This is AOL we're talkikng about...

[ZeldorBlat]

Do you really think the type of people who use AOL would use a password longer than eight characters anyway?

Re:Same as in Linux

[Bastard of Subhumani]

Even so a strong 8 char password is still a strong password (eg: *_Jilt3d)

It isn't if you're relying on the part after the eighth character to make it strong and the system is silently ignoring that part.

Re:Not alone

[Cygfrydd]

#PASS_MAX_LEN 8

Perhaps it's just me, but isn't that commented... meaning, the entire length of the password is hashed, and thus, significant?

Re:No way.

[thogard]

It changes authentication from something you know to something you have.

Embarrassing?!

[morari]

What exactly about AOL isn't embarrassing?

Re:Its actually worse than that

[bot24]

The stored password in the registry cannot be a hash unless the authentication system on the remote end will accept the hash in place of the actual password, which is only marginally better than storing the password in plain text. Without some keychain system, the password cannot be encrypted and then decrypted again unless the decryption key is accessible to the user or the key is stored on the server, meaning that you only need the "encrypted" password to authenticate yourself. Depending on how the password is encrypted, the new password storage system could be worse than the old one.

Re:No way.

[cp.tar]

Now those are people who do not understand the way people think. Mathematicians, not psychologists.

And they are the reason social engineering works so well.

People like having one, maybe two or three passwords.
So instead of making them change passwords regularly (and do note the analogy of having to change your front door lock every two months!), make them create one relatively secure password and drill them to memorize it, never, ever reveal it to anyone and never ever write it down.

Changing passwords does not affect their crackability in any way, anyway... it is a random security layer which can close the door to someone who has already cracked the old one, in which case your security sucks anyhow.

Re:No way.

[that this is not und]

Something you have on a post-it note, stuck to your desk underneath your keyboard.

Re:No way.

[General Wesc]

I used to tell people not to write down their passwords, but after dealing with people losing their passwords all the time, I changed my tune. I think this makes a good point [berylliumsphere.com]. There are some passwords I won't write down, but if I can carry hundreds of dollars, keys to my house and car, and credit cards with over a total credit line over 10 000USD in my pocket.

Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.

Re:So, now we can't count?

[FishWithAHammer]

You're an idiot. 'password', the eight-character segment that actually counts, is extremely common.

uhm.

[Anonymous Coward]

I've had an aol account since the mid ninties, I don't really use it anymore, but the password's only 4 characters.

I wonder how many other people have 'older' aol accounts and haven't changed their passwords.

Re:No way.

[myowntrueself]

The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern

I've seen ones where they specify things like 'must be 10 characters long, contain 2 symbols, 2 numeric characters, 2 uppercase'. They don't seem to realise that they are actually *reducing* the complexity of possible passwords.

If a cracker knows that a password *will* contain, eg, 2 non-alphanumeric characters plus 2 numerals plus 2 upper case characters and the required length of the password this reduces the search space significantly.

Re:No way.

[Mr Jazzizle]

I find that picking out just something around the desk and using it's serial number (or some other long sequence of random letters and numbers) as your password, you'll never forget it as long as you know what thing its on. Not so good, however, is when someone notices that you're looking at the back of your computer speakers everytime you log on.

Re:Nothing new

[Anonymous Coward]

I supose these idiots have never heard of hashing. Then this sort of weakness would have been a non-issue, even if their systems didn't read past the first half of the hash output.