This AOL issue, I can understand how it would have been over looked. Back when I would have read online about someone I heard of who could have potentially definitely wasn’t me cracking AOL passwords broadband was not nearly as wide spread which meant you have to dial up and then you got 3 tries, disconnected and repeated until you got a working combo. Now with the AOL over TCP/IP you get three tries every couple seconds.

There are generally two flavors of crackers out there.

1. Mass attack: You can generate a list of user names from a chat room scan, then using obvious combinations you try a few different sequences for each user. User name, user name backwards, common words, common numbers and what not. Say 20 - 30 generic attempts then move on. It is really surprising what a night of cracking in this manner can return as far as cracked accounts go.

2. Targeted attack: This can either take a single user, or a list. It scans their profile and generates a list of every potential combination using the information is discovered. I would say on average this generated about twice as many working phish as a shorter mass crack but it took quite a bit longer… from what I read online.

So, it really depends on what quantifies serious.

In retrospect though LM was upgraded YEARS ago and the flaw no longer exists in current operating systems for the most part. (unless they have support for legacy operating systems enabled, which most windows based systems do by default)

Moral of the story: Don’t use simple passwords and don’t use any generic phrases. Random alphanumerics, thats the best (unless you can use full sentence pass phrases which in this case would be counter productive do to the truncation)

This is a big blooper on AOL’s part…

Its a pretty common thing people do..passwords withtheir names( or their girlfriends /wives names) which are generally 6-8 alphabets and then try to think of gibberish alphanumeric characters ,@, $,#