[ad]
An interesting snippet from last month, AOL seems to have a strangely configued password system.
Users can enter up to 16 characters as a password, but the system only reads the first 8 and discards the rest. They are basically truncating the password at 8 characters.
A reader wrote in Friday with an interesting observation: When he went to access his AOL.com account, he accidentally entered an extra character at the end of his password. But that didn’t stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.
It turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL’s system, however, doesn’t read past the first eight characters.
And if you can’t work out what’s wrong with this..well.
How is this a bad set-up, security-wise? Well, let’s take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob — thinking himself very clever — sets his password to be BobJones$4e?0. Now, if Bob’s co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob’s user name, since people are lazy and often use their user name as their password.
And she’d be right, in this case, because even though Bob thinks he created a pretty solid 13-character password — complete with numerals, non-standard characters, and letters — the system won’t read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this: The AOL system also will just as happily accept BobJones for his password as it will BobJones$4e?0 (or BobJones + anything else, for that matter).
Not smart eh? AOL apparently are ‘looking into it’ and that’s all they’ve said regarding the matter.
Bruce Schneier, chief technology officer BT Counterpane, called the set-up “sloppy and stupid.”
Source: Washington Post
Lee B says
Sounds like it uses an old version of Solaris somewhere (8 maybe?). I swear it used to do that.
Daniel says
and the difficulty of bruteforce with 8 characters (while still hard) is so much easier than 12 it isnt even funny
madmax says
Hahahahahahah!!!
This is a big blooper on AOL’s part…
Its a pretty common thing people do..passwords withtheir names( or their girlfriends /wives names) which are generally 6-8 alphabets and then try to think of gibberish alphanumeric characters ,@, $,#
ChaosVein says
AOL has been like this since the 2.5 or 3.0 days when they expanded how much you could type in for the password field. If you actually use AOL and try to log in fromt he main screen with a wrong password you will get another pop-up window saying your password is wrong and you need to re-enter it. This window has a hard set character limit of 8 characters, a confirmation from within the application itself as to what they actually check for your password.
Torvaun says
I now feel much better about my password choosing procedures. Any given segment of any of my passwords is as secure as the whole thing, minus some for length. Of course, when you’re dealing with an alphanumeric key with a length of 8, there’s only 218 trillion possible keys. That’s what, a few hours on a decent system? I now feel much better about not having an account at AOL.
mburns says
Doesn’t the old LanManager hashing system (found in older Windows systems, and OS X via legacy support, IIRC) have similar problems?
backbone says
yes mburns it has, but not as serious as this…
ChaosVein says
That depends what you call serious. The LM Hash is less secure because of the speed you can attack it. You split the password into two 7 character segments and then crack them. At a couple hundred thousand tries a minute even on slow machines you are in pretty good shape within a few hours for insanely random sequences. Even faster if you have access to a rainbow table.
This AOL issue, I can understand how it would have been over looked. Back when I would have read online about someone I heard of who could have potentially definitely wasn’t me cracking AOL passwords broadband was not nearly as wide spread which meant you have to dial up and then you got 3 tries, disconnected and repeated until you got a working combo. Now with the AOL over TCP/IP you get three tries every couple seconds.
There are generally two flavors of crackers out there.
1. Mass attack: You can generate a list of user names from a chat room scan, then using obvious combinations you try a few different sequences for each user. User name, user name backwards, common words, common numbers and what not. Say 20 – 30 generic attempts then move on. It is really surprising what a night of cracking in this manner can return as far as cracked accounts go.
2. Targeted attack: This can either take a single user, or a list. It scans their profile and generates a list of every potential combination using the information is discovered. I would say on average this generated about twice as many working phish as a shorter mass crack but it took quite a bit longer… from what I read online.
So, it really depends on what quantifies serious.
In retrospect though LM was upgraded YEARS ago and the flaw no longer exists in current operating systems for the most part. (unless they have support for legacy operating systems enabled, which most windows based systems do by default)
Moral of the story: Don’t use simple passwords and don’t use any generic phrases. Random alphanumerics, thats the best (unless you can use full sentence pass phrases which in this case would be counter productive do to the truncation)