AOL Has An Odd Password System

An interesting snippet from last month, AOL seems to have a strangely configued password system.

Users can enter up to 16 characters as a password, but the system only reads the first 8 and discards the rest. They are basically truncating the password at 8 characters.

A reader wrote in Friday with an interesting observation: When he went to access his account, he accidentally entered an extra character at the end of his password. But that didn’t stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.

It turns out that when someone signs up for an account, the user appears to be allowed to enter up to a 16-character password. AOL’s system, however, doesn’t read past the first eight characters.

And if you can’t work out what’s wrong with this..well.

How is this a bad set-up, security-wise? Well, let’s take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob — thinking himself very clever — sets his password to be BobJones$4e?0. Now, if Bob’s co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob’s user name, since people are lazy and often use their user name as their password.

And she’d be right, in this case, because even though Bob thinks he created a pretty solid 13-character password — complete with numerals, non-standard characters, and letters — the system won’t read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this: The AOL system also will just as happily accept BobJones for his password as it will BobJones$4e?0 (or BobJones + anything else, for that matter).

Not smart eh? AOL apparently are ‘looking into it’ and that’s all they’ve said regarding the matter.

Bruce Schneier, chief technology officer BT Counterpane, called the set-up “sloppy and stupid.”

Source: Washington Post

Posted in: Hacking News, Password Cracking

Latest Posts:

ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.
RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.

8 Responses to AOL Has An Odd Password System

  1. Lee B June 21, 2007 at 7:57 am #

    Sounds like it uses an old version of Solaris somewhere (8 maybe?). I swear it used to do that.

  2. Daniel June 21, 2007 at 9:42 am #

    and the difficulty of bruteforce with 8 characters (while still hard) is so much easier than 12 it isnt even funny

  3. madmax June 21, 2007 at 3:14 pm #


    This is a big blooper on AOL’s part…

    Its a pretty common thing people do..passwords withtheir names( or their girlfriends /wives names) which are generally 6-8 alphabets and then try to think of gibberish alphanumeric characters ,@, $,#

  4. ChaosVein June 21, 2007 at 3:56 pm #

    AOL has been like this since the 2.5 or 3.0 days when they expanded how much you could type in for the password field. If you actually use AOL and try to log in fromt he main screen with a wrong password you will get another pop-up window saying your password is wrong and you need to re-enter it. This window has a hard set character limit of 8 characters, a confirmation from within the application itself as to what they actually check for your password.

  5. Torvaun June 21, 2007 at 4:09 pm #

    I now feel much better about my password choosing procedures. Any given segment of any of my passwords is as secure as the whole thing, minus some for length. Of course, when you’re dealing with an alphanumeric key with a length of 8, there’s only 218 trillion possible keys. That’s what, a few hours on a decent system? I now feel much better about not having an account at AOL.

  6. mburns June 21, 2007 at 7:45 pm #

    Doesn’t the old LanManager hashing system (found in older Windows systems, and OS X via legacy support, IIRC) have similar problems?

  7. backbone June 25, 2007 at 1:21 pm #

    yes mburns it has, but not as serious as this…

  8. ChaosVein June 26, 2007 at 12:34 am #

    That depends what you call serious. The LM Hash is less secure because of the speed you can attack it. You split the password into two 7 character segments and then crack them. At a couple hundred thousand tries a minute even on slow machines you are in pretty good shape within a few hours for insanely random sequences. Even faster if you have access to a rainbow table.

    This AOL issue, I can understand how it would have been over looked. Back when I would have read online about someone I heard of who could have potentially definitely wasn’t me cracking AOL passwords broadband was not nearly as wide spread which meant you have to dial up and then you got 3 tries, disconnected and repeated until you got a working combo. Now with the AOL over TCP/IP you get three tries every couple seconds.

    There are generally two flavors of crackers out there.

    1. Mass attack: You can generate a list of user names from a chat room scan, then using obvious combinations you try a few different sequences for each user. User name, user name backwards, common words, common numbers and what not. Say 20 – 30 generic attempts then move on. It is really surprising what a night of cracking in this manner can return as far as cracked accounts go.

    2. Targeted attack: This can either take a single user, or a list. It scans their profile and generates a list of every potential combination using the information is discovered. I would say on average this generated about twice as many working phish as a shorter mass crack but it took quite a bit longer… from what I read online.

    So, it really depends on what quantifies serious.

    In retrospect though LM was upgraded YEARS ago and the flaw no longer exists in current operating systems for the most part. (unless they have support for legacy operating systems enabled, which most windows based systems do by default)

    Moral of the story: Don’t use simple passwords and don’t use any generic phrases. Random alphanumerics, thats the best (unless you can use full sentence pass phrases which in this case would be counter productive do to the truncation)