AOL Has An Odd Password System

An interesting snippet from last month, AOL seems to have a strangely configued password system.

Users can enter up to 16 characters as a password, but the system only reads the first 8 and discards the rest. They are basically truncating the password at 8 characters.

A reader wrote in Friday with an interesting observation: When he went to access his account, he accidentally entered an extra character at the end of his password. But that didn’t stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.

It turns out that when someone signs up for an account, the user appears to be allowed to enter up to a 16-character password. AOL’s system, however, doesn’t read past the first eight characters.

And if you can’t work out what’s wrong with this..well.

How is this a bad set-up, security-wise? Well, let’s take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob — thinking himself very clever — sets his password to be BobJones$4e?0. Now, if Bob’s co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob’s user name, since people are lazy and often use their user name as their password.

And she’d be right, in this case, because even though Bob thinks he created a pretty solid 13-character password — complete with numerals, non-standard characters, and letters — the system won’t read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this: The AOL system also will just as happily accept BobJones for his password as it will BobJones$4e?0 (or BobJones + anything else, for that matter).

Not smart eh? AOL apparently are ‘looking into it’ and that’s all they’ve said regarding the matter.

Bruce Schneier, chief technology officer BT Counterpane, called the set-up “sloppy and stupid.”

Source: Washington Post

Posted in: Hacking News, Password Cracking Tools

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

8 Responses to AOL Has An Odd Password System

  1. Lee B June 21, 2007 at 7:57 am #

    Sounds like it uses an old version of Solaris somewhere (8 maybe?). I swear it used to do that.

  2. Daniel June 21, 2007 at 9:42 am #

    and the difficulty of bruteforce with 8 characters (while still hard) is so much easier than 12 it isnt even funny

  3. madmax June 21, 2007 at 3:14 pm #


    This is a big blooper on AOL’s part…

    Its a pretty common thing people do..passwords withtheir names( or their girlfriends /wives names) which are generally 6-8 alphabets and then try to think of gibberish alphanumeric characters ,@, $,#

  4. ChaosVein June 21, 2007 at 3:56 pm #

    AOL has been like this since the 2.5 or 3.0 days when they expanded how much you could type in for the password field. If you actually use AOL and try to log in fromt he main screen with a wrong password you will get another pop-up window saying your password is wrong and you need to re-enter it. This window has a hard set character limit of 8 characters, a confirmation from within the application itself as to what they actually check for your password.

  5. Torvaun June 21, 2007 at 4:09 pm #

    I now feel much better about my password choosing procedures. Any given segment of any of my passwords is as secure as the whole thing, minus some for length. Of course, when you’re dealing with an alphanumeric key with a length of 8, there’s only 218 trillion possible keys. That’s what, a few hours on a decent system? I now feel much better about not having an account at AOL.

  6. mburns June 21, 2007 at 7:45 pm #

    Doesn’t the old LanManager hashing system (found in older Windows systems, and OS X via legacy support, IIRC) have similar problems?

  7. backbone June 25, 2007 at 1:21 pm #

    yes mburns it has, but not as serious as this…

  8. ChaosVein June 26, 2007 at 12:34 am #

    That depends what you call serious. The LM Hash is less secure because of the speed you can attack it. You split the password into two 7 character segments and then crack them. At a couple hundred thousand tries a minute even on slow machines you are in pretty good shape within a few hours for insanely random sequences. Even faster if you have access to a rainbow table.

    This AOL issue, I can understand how it would have been over looked. Back when I would have read online about someone I heard of who could have potentially definitely wasn’t me cracking AOL passwords broadband was not nearly as wide spread which meant you have to dial up and then you got 3 tries, disconnected and repeated until you got a working combo. Now with the AOL over TCP/IP you get three tries every couple seconds.

    There are generally two flavors of crackers out there.

    1. Mass attack: You can generate a list of user names from a chat room scan, then using obvious combinations you try a few different sequences for each user. User name, user name backwards, common words, common numbers and what not. Say 20 – 30 generic attempts then move on. It is really surprising what a night of cracking in this manner can return as far as cracked accounts go.

    2. Targeted attack: This can either take a single user, or a list. It scans their profile and generates a list of every potential combination using the information is discovered. I would say on average this generated about twice as many working phish as a shorter mass crack but it took quite a bit longer… from what I read online.

    So, it really depends on what quantifies serious.

    In retrospect though LM was upgraded YEARS ago and the flaw no longer exists in current operating systems for the most part. (unless they have support for legacy operating systems enabled, which most windows based systems do by default)

    Moral of the story: Don’t use simple passwords and don’t use any generic phrases. Random alphanumerics, thats the best (unless you can use full sentence pass phrases which in this case would be counter productive do to the truncation)