AOL Has An Odd Password System

Keep on Guard!

An interesting snippet from last month, AOL seems to have a strangely configued password system.

Users can enter up to 16 characters as a password, but the system only reads the first 8 and discards the rest. They are basically truncating the password at 8 characters.

A reader wrote in Friday with an interesting observation: When he went to access his account, he accidentally entered an extra character at the end of his password. But that didn’t stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.

It turns out that when someone signs up for an account, the user appears to be allowed to enter up to a 16-character password. AOL’s system, however, doesn’t read past the first eight characters.

And if you can’t work out what’s wrong with this..well.

How is this a bad set-up, security-wise? Well, let’s take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob — thinking himself very clever — sets his password to be BobJones$4e?0. Now, if Bob’s co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob’s user name, since people are lazy and often use their user name as their password.

And she’d be right, in this case, because even though Bob thinks he created a pretty solid 13-character password — complete with numerals, non-standard characters, and letters — the system won’t read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this: The AOL system also will just as happily accept BobJones for his password as it will BobJones$4e?0 (or BobJones + anything else, for that matter).

Not smart eh? AOL apparently are ‘looking into it’ and that’s all they’ve said regarding the matter.

Bruce Schneier, chief technology officer BT Counterpane, called the set-up “sloppy and stupid.”

Source: Washington Post

Posted in: Hacking News, Password Cracking

Latest Posts:

OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.

8 Responses to AOL Has An Odd Password System

  1. Lee B June 21, 2007 at 7:57 am #

    Sounds like it uses an old version of Solaris somewhere (8 maybe?). I swear it used to do that.

  2. Daniel June 21, 2007 at 9:42 am #

    and the difficulty of bruteforce with 8 characters (while still hard) is so much easier than 12 it isnt even funny

  3. madmax June 21, 2007 at 3:14 pm #


    This is a big blooper on AOL’s part…

    Its a pretty common thing people do..passwords withtheir names( or their girlfriends /wives names) which are generally 6-8 alphabets and then try to think of gibberish alphanumeric characters ,@, $,#

  4. ChaosVein June 21, 2007 at 3:56 pm #

    AOL has been like this since the 2.5 or 3.0 days when they expanded how much you could type in for the password field. If you actually use AOL and try to log in fromt he main screen with a wrong password you will get another pop-up window saying your password is wrong and you need to re-enter it. This window has a hard set character limit of 8 characters, a confirmation from within the application itself as to what they actually check for your password.

  5. Torvaun June 21, 2007 at 4:09 pm #

    I now feel much better about my password choosing procedures. Any given segment of any of my passwords is as secure as the whole thing, minus some for length. Of course, when you’re dealing with an alphanumeric key with a length of 8, there’s only 218 trillion possible keys. That’s what, a few hours on a decent system? I now feel much better about not having an account at AOL.

  6. mburns June 21, 2007 at 7:45 pm #

    Doesn’t the old LanManager hashing system (found in older Windows systems, and OS X via legacy support, IIRC) have similar problems?

  7. backbone June 25, 2007 at 1:21 pm #

    yes mburns it has, but not as serious as this…

  8. ChaosVein June 26, 2007 at 12:34 am #

    That depends what you call serious. The LM Hash is less secure because of the speed you can attack it. You split the password into two 7 character segments and then crack them. At a couple hundred thousand tries a minute even on slow machines you are in pretty good shape within a few hours for insanely random sequences. Even faster if you have access to a rainbow table.

    This AOL issue, I can understand how it would have been over looked. Back when I would have read online about someone I heard of who could have potentially definitely wasn’t me cracking AOL passwords broadband was not nearly as wide spread which meant you have to dial up and then you got 3 tries, disconnected and repeated until you got a working combo. Now with the AOL over TCP/IP you get three tries every couple seconds.

    There are generally two flavors of crackers out there.

    1. Mass attack: You can generate a list of user names from a chat room scan, then using obvious combinations you try a few different sequences for each user. User name, user name backwards, common words, common numbers and what not. Say 20 – 30 generic attempts then move on. It is really surprising what a night of cracking in this manner can return as far as cracked accounts go.

    2. Targeted attack: This can either take a single user, or a list. It scans their profile and generates a list of every potential combination using the information is discovered. I would say on average this generated about twice as many working phish as a shorter mass crack but it took quite a bit longer… from what I read online.

    So, it really depends on what quantifies serious.

    In retrospect though LM was upgraded YEARS ago and the flaw no longer exists in current operating systems for the most part. (unless they have support for legacy operating systems enabled, which most windows based systems do by default)

    Moral of the story: Don’t use simple passwords and don’t use any generic phrases. Random alphanumerics, thats the best (unless you can use full sentence pass phrases which in this case would be counter productive do to the truncation)