Forgot your password?
typodupeerror
Security

AOL's Embarassing Password Woes 192

Posted by CmdrTaco
from the top-sekrit dept.
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
This discussion has been archived. No new comments can be posted.

AOL's Embarassing Password Woes

Comments Filter:
  • Nothing new (Score:4, Interesting)

    by Anonymous Coward on Sunday May 06, 2007 @10:33AM (#19010091)
    It's nothing new, the BT Openworld webmail system had this unique bug/feature years ago. Wonder if they've fixed it....
    • Re:Nothing new (Score:4, Informative)

      by sglider (648795) on Sunday May 06, 2007 @04:54PM (#19012985) Homepage Journal
      MySpace has that issue as well, past 10 characters. If you go to their signup screen, you can sign up with a longer password, but if you go to the secondary login screen, it will stop typing either after 10 or 12 characters.
    • Real VNC 4 (Score:2, Informative)

      by Das Auge (597142)
      Real VNC 4 has this same problem. One of my clients uses it and set the password to a 12 key entry, with uppercase, lowercase, numbers, and a special character. Too bad most of his non-alphas were at the end...
    • Re: (Score:2, Informative)

      Demon Internet in the UK were like that back in 1994 when I signed up. I had some issues and changed the password. I'd come up with this long obtuse password and he said "Oh don't worry, it only reads the first 8 characters anyway."

      So I dumped the convoluted password and went with something with 8 characters.
  • Not alone (Score:5, Informative)

    by bsane (148894) on Sunday May 06, 2007 @10:33AM (#19010095)
    Solaris (up to Solaris8 anyway) has exactly the same problem, I wouldn't be surprised if its widespread on older systems.

    One thing I find interesting though, way back before the internet was well known (1990 or so I think) and people paid for CompuServe or AOL or whatever, I had a CompuServe account and the original password was 'wrote*admiral' and it definatly required all letters to be correct
    • by Anonymous Coward on Sunday May 06, 2007 @10:41AM (#19010173)
      Same problem in a default installation of Solaris-10 as well.

    • by Branka96 (628759) on Sunday May 06, 2007 @10:53AM (#19010299)
      Apple's OS X had the same problem until 10.3. See Apple KB article [apple.com]
      • Ditto NT4. Sort of. (Score:2, Informative)

        by Anonymous Coward
        NT4 broke a 16 character password and separately hashed the first and second parts so you could attack them separately. This is why passwords > 8 characters were recommended. Better than TFA, and (thankfully) fixed in NT5.

        Worth remembering if you still have any NT4 servers in production.
        • by kestasjk (933987) on Sunday May 06, 2007 @11:47AM (#19010687) Homepage
          I think you've mixed something up.

          The Lanmanager hashing system breaks the password up into two 7-char sized chunks, converts them to upper case, and hashes each separately, and XP still uses Lanmanager hashes if you don't explicitly tell it not to (by changing a registry setting).

          The first 14 characters are still used in Lanmanager hashes though, so this is only a security hole if the attacker can access the hashes.
          • by belrick (31159)
            The first 14 characters are still used in Lanmanager hashes though, so this is only a security hole if the attacker can access the hashes.

            And don't the hashes fly across the network in the clear (unless you are using Kerberos in a non-compatibility mode?)?
            • by Tony Hoyle (11698)
              Yes. I routinely ran a program on our network and got a list of weak passwords... the offenders where then given a LART.

              I had to time limit that program because if you just let it process overnight it found *every* password including the 'secure' admin one...

    • by aquabat (724032)

      Solaris (up to Solaris8 anyway) has exactly the same problem, I wouldn't be surprised if its widespread on older systems.

      Yup. HPUX (10.20, and maybe 11.00 - can't recall) did the same thing.

  • by AEton (654737) on Sunday May 06, 2007 @10:36AM (#19010127)
    This is not that unusual.

    We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.

    We realized something was wrong when someone noticed that all the password hashes were the same.

    (The fix: find a new better hash function.)
  • "Me too!" :^)
  • Spelling (Score:2, Informative)

    by daybot (911557) *
    No, whats really embarrassing is mis-spelling that very word in the title of a Slashdot article
    • Re:Spelling (Score:4, Funny)

      by Hebbinator (1001954) on Sunday May 06, 2007 @11:44AM (#19010657)
      Gotta get a spell check.

      I spent all day yesterday giggling at "eLfavirenz" (its efavirenz- no L). While HIV/AIDS is far from a humorous disease, images of brazilian midgets with big ears and curl-toed shoes sneaking around with big bottles of pirated protease inhibitors kept jumping in my head.

      For a second treat, google ELFavirenz and see the 260+ web sites that took the exact same text and put it up after /.'s error!
  • Well, it turns out that when someone signs up for an AOL.com account, the user has sold their digital soul to Satan.


    I *still* cringe to this day when someone asks for computer help and it starts out with "Well, when I log on to my AOL..."

    TLF
  • Even better (Score:5, Interesting)

    by AndrewM1 (648443) on Sunday May 06, 2007 @10:47AM (#19010219)
    I can do this one better. I signed up for some game known as MapleStory a while back, submitting the password "DaedAEcarECel40s".

    I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.

    In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.

    Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...
    • by db32 (862117)
      I really hope you don't use this password anywhere else. In fact I am curious to see how many people just tried to log into your slashdot account using that password. Maybe even hitting the MapleStory site just for a few random attempts as well :)
    • by Old Wolf (56093)
      Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password

      When signing up with Absolute Poker, I created a password with a comma in it. It accepted it and created the account.

      Then I went to log in. After entering my password, I got an immediate error "password may not contain comma" (or other characters). I had to manually request support to a
  • Radius? (Score:4, Interesting)

    by cluge (114877) on Sunday May 06, 2007 @10:48AM (#19010221) Homepage
    I believe the original RFC for radius only looked at the first 8 characters. It would not surprise me if AOL was using a tried and proven radius solution, and never bothered to update. I'd be interested to know the results if one was to choose a long password and then

    1. Log into AOL and only use the first 8 characters
    2. Log into the AOL webmail and only use the first 8 characters.

    This may indicate if the limitation is the sign in solution, or the entire userdb backend.

    cluge
    • Re: (Score:2, Interesting)

      by juggler314 (556575)
      Man I noticed this years ago, wish I had thought it was important enough to write up about then maybe I could have had my own slashdot posting!

      (and yes that...sickeningly...means I actually used AOL for some time...)

      I had a problem logging in to the AOL webmail because it *does not* truncate to the first 8 characters and I *thought* my password was longer than 8. Thus logging into the AOL app worked fine, but I had to manually truncate to 8 characters to get webmail working.

      I thought it was a problem on my
    • Re: (Score:2, Informative)

      by Ziwcam (766621)

      1. Log into AOL and only use the first 8 characters

      My AOL password happens to be exactly 8 characters long. When I tried salting it with asdf afterwards, the OS X AOL client (which I havn't opened in a year, mind you :-) will not accept characters after the 8th.

      2. Log into the AOL webmail and only use the first 8 characters.

      In this case, salting with asdfasdfasdf results in an error saying the password must be 16 characters or less, so salting it with asdfasdf (making the attempted password exactly 16 characters) I'm still allowed to log in, even though my true password doesn't contain the asdf's, and is only 8 c

  • by imunfair (877689) on Sunday May 06, 2007 @10:49AM (#19010231) Homepage
    It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.

    They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.

    If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ [tsourceweb.com] - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway ;)
    • Re: (Score:2, Insightful)

      by bot24 (771104)
      The stored password in the registry cannot be a hash unless the authentication system on the remote end will accept the hash in place of the actual password, which is only marginally better than storing the password in plain text. Without some keychain system, the password cannot be encrypted and then decrypted again unless the decryption key is accessible to the user or the key is stored on the server, meaning that you only need the "encrypted" password to authenticate yourself. Depending on how the passwo
      • by imunfair (877689)
        Before AIM6 the servers did accept a hash for login, but that's all you can do with it. (You can send a change email request with it, but that takes 72 hours and the user can cancel it during that time)

        AIM6 decrypts the password each time you log in and sends it plaintext over an SSL connection. I'd venture that storing a hash is more secure, because at least you have to crack that before you can change the user's password.

        I can't think of any situation where a password stored plaintext or encrypted would
    • by jesup (8690) *
      If this really is an artifact of the old 'core' of AOL, then it's probably due to the original password functions we put into PlayNET back in 1984-1985. (For those that don't know, AOL was originally a port of QuantumLink to the PC, and QuantumLink was licensed from PlayNET. See http://en.wikipedia.com/wiki/PlayNET [wikipedia.com].)

      The original core was all done in PL/1 on Stratus fault-tolerant minicomputers. They continued to run the core up until a few years ago, but much of the design was so ingrained that it contin
    • by linhux (104645)

      They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.

      Well, this is usually a trade-off between being able to have a secure authentication procedure (using challenge-response authentication) or not having to store the password in cleartext at the client. If you hash the password, you can't do a challenge-response authentication on that password (since it would need the cleartext password to be available at log-in tim

  • by Jugalator (259273) on Sunday May 06, 2007 @10:49AM (#19010245) Journal
    For random passwords, I guess 8 characters are still OK, but it's worse if you pick "smart" combinations of words and numbers, like "computers4life" or "jennifer2007". With dictionary attacks adapted for these lengths, they'd only need to check for the first 8 and it would be "computer" and "jennifer" in this case. If you further adapt the attack to only look for e.g. ratios of 4:4 with first 4 being a word and remaining 4 being random, and so on for 5:3, 6:2, 7:1, and 8:0, you also catch circumstances where users have picked passwords like "love4u2007", which would be caught in the "4:4" attack as "love" + "4u20". Maybe that's still secure enough, but this sounds a bit risky when using word passwords, even when mixing with numbers to avoid dictionary attacks, especially with this limitation.
  • by ZeldorBlat (107799) on Sunday May 06, 2007 @11:02AM (#19010357)
    Do you really think the type of people who use AOL would use a password longer than eight characters anyway?
    • Do you really think the type of people who use AOL would use a password longer than eight characters anyway?

      Sure, plenty of folks have dogs with names longer than 8 characters.
  • At a certain university, this was also the case.

    The flaw in question seemed to apply only to a web mail client which they are in the process of phasing out in favor of an open source solution, which is pretty interesting because it's the first I've seen which has support for S/MIME.

    Presumably, the older system will be brought off line soon, as the flaw has been known for some time.
    When signing on in front of people who didn't know about the flaw, it was fun to make them think you had a password in excess of
  • AIX (Score:5, Interesting)

    by Sp00nMan (199816) on Sunday May 06, 2007 @11:15AM (#19010449) Journal
    The latest AIX 5.3 has this same stupid limitation too. It's driving us nuts at work cause we authenticate to Active Directory which supports long passwords, but AIX only cares about the first 8. Ridiculous.. We had to purchase SpecOps and force AD to limit to max of 8 so that users would be forced to have a unique password everytime. We contacted IBM and they said they had no plans on fixing this.
    • by 1s44c (552956)

      You could always fix your pam stack instead of adding limitations to AD.
    • And in OS/400, passwords aren't case-sensitive. Nothing like reducing your search space dramatically!
    • Ah, but this is a different issue. This is some proprietary Unix password input functions only reading 8 characters, whereas the AOL one is more likely the crypt()-type problem of discarding all but the first 8 letters when hashing the password. Your case there isn't much you can do (as the input is discarded), but in the 2nd case, authenticating against anything but the local passwd/shadow file would fix it (e.g. pam_krb5 or pam_ldap would respect all the characters).

      Another reason not to use proprietary U
  • I believe I encountered this last year when I was trying to set my wife's AIM account up on her iChat client. She has been typing the long version of her pass into the AIM client, which apparently wasn't reading past those first 8 characters. When we tried it in the iChat client, it kept spitting it back out as being incorrect. We eventually had to change her pass to a shorter one to get it to work.
  • by N8F8 (4562)
    AOL management must make the same assumptions about AOL hackers that the rest of us do about AOL users.
  • by Himring (646324) on Sunday May 06, 2007 @11:42AM (#19010643) Homepage Journal
    Reminds me of that Mitch Hedberg joke:

    "You know when a company wants to use letters in their phone number, but often they'll use too many letters? 'Call 1-800-I-Really-Enjoy-Brand-New-Carpeting.' Too many letters, man, must I dial them all? 'Hello? Hold on, man, I'm only on "Enjoy." How did you know I was calling? You're good, I can see why they hired you!'"

    RIP Mitch

  • This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password.
    The same thing goes for the Danish mobile operator CBB [cbb.dk]. :(
  • by madsheep (984404) on Sunday May 06, 2007 @11:48AM (#19010699) Homepage
    First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.

    br/>
    A few test cases to pay attention to:

    1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&n cid=AOLAOF00020000000602 [aol.com]

    Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.

    What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.

    They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.

    Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?

    These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.

    Chew on that. Steven :)
    • 1) Sign up for an AOL mail account

      Just be warned if you decide to abort partway through the process (I was desperate for free internet access, but not enough to give up my CC info) they will STILL KEEP THE INFORMATION YOU ENTER. I got a phone call several days later from a rep with a sales pitch.

      Although this was 3 years ago I don't think they'll have changed it...

    • by jmauro (32523)
      Have you considered that AIM uses a different password system than AOL Dialup? That way your AIM would still work, but AOL proper wouldn't.
      • by madsheep (984404)
        Yes, absolutely. This is how I am trying to make a distinction between service/e-mail-based system and AIM-based systems. I am not sure of how to better word this. It appears some of these tie into the legacy system. This is similar to Basic Auth, but worse. There is no disctinction between uppercase and lowercase characters. However, I am not quite following Brian's blog to make this a huge security risk as they do not accurately make the distinction between the two systems or even recognize they exi
  • Embarrassing?! (Score:3, Insightful)

    by morari (1080535) on Sunday May 06, 2007 @11:48AM (#19010701) Journal
    What exactly about AOL isn't embarrassing?
  • I wish someone would fix that issue in VNC so that it required more than eight characters. That seems especially bad and worth fixing, but nobody has done it yet.

    Please, if the slashdot community is going to complain about how stupid password limits are, can someone fix the open source projects that have the same issue so that we can't point and laugh at that too?
    • by Arimus (198136)
      Try ultravnc...

    • by jZnat (793348) *
      Tunnel VNC over SSH. Problem solved.

      This is also a good method for solving many other password-based issues. You can also use things like stunnel to encrypt any generic service via SSL/TLS/IPsec/etc.
  • Thank you /. (Score:2, Interesting)

    by g0dsp33d (849253)
    Hello, this is AOL tech support... we have lost our database for user names, your account will not function unless you give us your account name and the first 8 letters of your password for confirmation... Maybe I'll ask for credit cards too...
  • VNC... (Score:2, Interesting)

    by NNland (110498)
    Official versions of VNC from AT&T and later RealVNC had similar password limitations, though I can't remember if it was 7 or 8 characters. All I know is that it gave me a good reason to switch to UltraVNC, which used the native login API on whatever OS it was running.
  • by Michael Woodhams (112247) on Sunday May 06, 2007 @05:06PM (#19013063) Journal
    Old text adventure games were often like this. You'd type in an entire sentence, but the computer would only look at the first three letters of the first two words. I remember using "drink white paint" to drink the whiskey. (This was back when the final resting place of outdated computer games was not the $10 bargain bin, but rather having the entire source printed in a computer games magazine so people could type it into their Apple II.)

    I think that Infocom, being the class act of text adventures, didn't suffer this "feature".

What ever you want is going to cost a little more than it is worth. -- The Second Law Of Thermodynamics

Working...