Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AOL's Embarassing Password Woes

CmdrTaco posted more than 7 years ago | from the top-sekrit dept.

Security 192

An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog: "Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters." This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."

cancel ×

192 comments

Nothing new (4, Interesting)

Anonymous Coward | more than 7 years ago | (#19010091)

It's nothing new, the BT Openworld webmail system had this unique bug/feature years ago. Wonder if they've fixed it....

MIGHT AS WELL FACE IT: YOU'RE A DICK IN A GLOVE (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19010123)

The lights are on, but you're not home...

Not alone (4, Informative)

bsane (148894) | more than 7 years ago | (#19010095)

Solaris (up to Solaris8 anyway) has exactly the same problem, I wouldn't be surprised if its widespread on older systems.

One thing I find interesting though, way back before the internet was well known (1990 or so I think) and people paid for CompuServe or AOL or whatever, I had a CompuServe account and the original password was 'wrote*admiral' and it definatly required all letters to be correct

Re: same in the default install of solaris 10 (5, Informative)

Anonymous Coward | more than 7 years ago | (#19010173)

Same problem in a default installation of Solaris-10 as well.

blacks ftw (0, Flamebait)

Dick McBeefy (1098175) | more than 7 years ago | (#19010209)

we have your women. soon we will have the white house. heh.

it's our time now.

Re:blacks ftw (0, Troll)

lick mi ballz (1016185) | more than 7 years ago | (#19010667)

Hey nigger,

Blacks "were 7 times more likely than whites to commit homicide in 1998"
http://www.ojp.usdoj.gov/bjs/homicide/race.htm [usdoj.gov]

Blacks are four times more likely than Whites to kill their children
http://www.ojp.usdoj.gov/bjs/homicide/kidsrates.tx t [usdoj.gov]

28% of black males go to jail, vs. 4.4% of White males
http://www.ojp.usdoj.gov/bjs/crimoff.htm [usdoj.gov]

68.7% of blacks are born out of wedlock
http://www.cdc.gov/nchs/fastats/pdf/nvsr50_05tb19. pdf [cdc.gov]

62% of ALL black births are paid for by the US government
http://www.cdc.gov/nchs/datawh/statab/pubd/2319_69 .htm [cdc.gov]

Blacks are responsible for 40.8% of all domestic violence cases, despite being only 13% of the population.
See page 28:
http://www.ojp.usdoj.gov/bjs/pub/pdf/vi.pdf [usdoj.gov]

Though only 12% of the population, blacks take 38.3% of the total of all welfare payments.
Whites are 72% of the population, and take 30.5% of the total.
http://www.ojp.usdoj.gov/bjs/pub/pdf/vi.pdf [usdoj.gov]

Though only 12% of the population, blacks take 38% of taxpayer-subsidized housing
http://www.huduser.org/datasets/ass...96/descript. htm [huduser.org]

JOURNAL OF BLACKS IN HIGHER EDUCATION
http://www.jbhe.com/ [jbhe.com]
But income alone does not explain the racial scoring gap. Consider these facts:
Whites from families with incomes of less than $10,000 had a mean SAT score of 980. This is 123 points higher than the national mean for all blacks.

Whites from families with incomes below $10,000 had a mean SAT test score that was 46 points higher than blacks whose families had incomes of between $80,000 and $100,000.

Blacks from families with incomes of more than $100,000 had a mean SAT score that was 142 points below the mean score for whites from families at the same income level.

Re:Not alone, Apple too (5, Interesting)

Branka96 (628759) | more than 7 years ago | (#19010299)

Apple's OS X had the same problem until 10.3. See Apple KB article [apple.com]

Ditto NT4. Sort of. (2, Informative)

Anonymous Coward | more than 7 years ago | (#19010437)

NT4 broke a 16 character password and separately hashed the first and second parts so you could attack them separately. This is why passwords > 8 characters were recommended. Better than TFA, and (thankfully) fixed in NT5.

Worth remembering if you still have any NT4 servers in production.

Re:Ditto NT4. Sort of. (4, Informative)

kestasjk (933987) | more than 7 years ago | (#19010687)

I think you've mixed something up.

The Lanmanager hashing system breaks the password up into two 7-char sized chunks, converts them to upper case, and hashes each separately, and XP still uses Lanmanager hashes if you don't explicitly tell it not to (by changing a registry setting).

The first 14 characters are still used in Lanmanager hashes though, so this is only a security hole if the attacker can access the hashes.

Re:Not alone (0, Interesting)

Ant P. (974313) | more than 7 years ago | (#19010347)

It's not just Solaris, here's part of /etc/login.defs on a Gentoo box:

# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8

# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
MD5_CRYPT_ENAB yes


Maybe it's just me, but having a hardcoded default of 8 significant characters is really stupid especially when the alternative is just plain better. Is there any distro that _doesn't_ override these by default?

Re:Not alone (2, Insightful)

Cygfrydd (957180) | more than 7 years ago | (#19010435)

#PASS_MAX_LEN 8
Perhaps it's just me, but isn't that commented... meaning, the entire length of the password is hashed, and thus, significant?

Re:Not alone (1)

HBI (604924) | more than 7 years ago | (#19010457)

You are right.

Re:Not alone (4, Informative)

TheRaven64 (641858) | more than 7 years ago | (#19010463)

I don't know about Gentoo specifically, but on most *NIX systems the convention is to put the default values in the example config file, commented out. This shows the user what the defaults are, and shows that they don't need to be explicitly stated.

Re:Not alone (2, Informative)

Albanach (527650) | more than 7 years ago | (#19010473)

Perhaps it's just me, but isn't that commented...
It's commented meaning the default applies. It also states the default is 8, so eight characters are significant.

Re:Not alone (4, Informative)

Cygfrydd (957180) | more than 7 years ago | (#19010507)

# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8
...
MD5_CRYPT_ENAB yes
... which seems to indicate that the default behaviour is to ignore the password length cap altogether.

@yg

Re:Not alone (2, Informative)

spathi-wa (575009) | more than 7 years ago | (#19010763)

It also says "Ignored if MD5_CRYPT_ENAB set to "yes"." And the last line of the quoted file sets MD5_CRYPT_ENAB to "yes"

Re:Not alone (3, Informative)

ATMD (986401) | more than 7 years ago | (#19010893)

I'm running an up-to-date Gentoo install, and have never knowingly touched that file. I just tried logging in as root, except typing only the first 8 characters of my password and then garbage. It didn't let me in.

Re:Not alone (1)

teh kurisu (701097) | more than 7 years ago | (#19010465)

Forgive me if I'm being a spaz, but isn't that line commented out in your example? It also seems to be commented out on my Gentoo box, which leads me to believe that it's commented out by default as it's a file I've never touched.

Furthermore I tried su'ing on that machine with only the first eight characters of my root password, and was denied access. So I'm concluding that it's not a problem in Gentoo by default.

Re:Not alone (5, Informative)

PAjamian (679137) | more than 7 years ago | (#19010493)

It's not just Solaris, here's part of /etc/login.defs on a Gentoo box:

# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8

# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
MD5_CRYPT_ENAB yes

Old DES crypt() hashing is only significant to 8 chars on any system. That's why modern systems (including Gentoo) use MD5 hashing by default which has no limit on the length of the password to hash. Notice that MD5_CRYPT_ENAB is set to "yes" above which causes it to ignore the PASS_MAX_LEN setting.

Re:Not alone (1)

thogard (43403) | more than 7 years ago | (#19010575)

The idea with the 8 char max is that you could copy encrypted /etc/passwd files from one machine to another and still have things work. That broke if you changed the number of characters that "crypt" worked on since it would encrypt "Foo" with "Foo\0\0\0\0\0" and would get different results if you feed it more nulls at the end.

Re:Not alone (1)

Driador (923291) | more than 7 years ago | (#19010565)

AIX 5.3 also behaves in this fashion

Re:Not alone (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19010781)

Technically it wasn't a "problem" with Solaris. It was pretty much standard in Unix implementations from the beginning that the maximum password length be (at default) 8 characters...various operating systems designed later allowed you to either tune the number of maximum allowable characters, or simply don't have any practical limit (beyond what your computer is capable of handling...and I pity you if you're a 32-bit PC user with an 8GB password to type ;>).

Re:Not alone (1)

Teiresias_UK (413251) | more than 7 years ago | (#19011331)

I had the (mis)fortune of working for Compuserve Tech support in the summer of '97 whilst one holiday from Uni.

Every other call I had was a clueless newbie who'd forgotten their password, and wanted us to give them a new one. Problem is most of them didn't know their way around a keyboard very well, and certainly didn't know where the non-alphanumeric symbols were.

This caused no end of converations with the support staff pointing the user around the keyboard - "No, no, up from the 0, you need to hold down shift as well ...."

Still pretty secure considering what you get now.

Re:Not alone (1)

softwareengineer99 (1077967) | more than 7 years ago | (#19011373)

Solaris 10 has the same issue.

No way. (0, Insightful)

Anonymous Coward | more than 7 years ago | (#19010103)

Anyone else having a hard time believing this?

Re:No way. (5, Informative)

creimer (824291) | more than 7 years ago | (#19010293)

Nope. At some companies I worked for, the most common passwords are "password", "hockey" (I have no idea why), and "yousuck" (Windows machines). The opposite extreme is companies with password Nazis who insist that your password be a certain length, follows a certain pattern (capital letters, lowercase letters, numbers and symbols) and minimum length (eight or more characters), must be changed every 90 days, and you can't reuse the last 500 variations of the same password based on your name.

Re:No way. (4, Insightful)

Bastard of Subhumani (827601) | more than 7 years ago | (#19010351)

... thus pretty much ensuring that you write it down.

Re:No way. (0)

Anonymous Coward | more than 7 years ago | (#19010431)

What is the problem with writing down a password? If you have 30 passwords to remember, you'll inevitably end up having to write them down just to remember what password is for what system.

Re:No way. (3, Insightful)

thogard (43403) | more than 7 years ago | (#19010615)

It changes authentication from something you know to something you have.

Re:No way. (2, Insightful)

that this is not und (1026860) | more than 7 years ago | (#19011027)

Something you have on a post-it note, stuck to your desk underneath your keyboard.

Re:No way. (4, Insightful)

General Wesc (59919) | more than 7 years ago | (#19011069)

I used to tell people not to write down their passwords, but after dealing with people losing their passwords all the time, I changed my tune. I think this makes a good point [berylliumsphere.com] . There are some passwords I won't write down, but if I can carry hundreds of dollars, keys to my house and car, and credit cards with over a total credit line over 10 000USD in my pocket.

Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.

Re:No way. (1)

timelorde (7880) | more than 7 years ago | (#19010581)

90 days? What luxury. Ours is every 30 days. Grrr...

Bah! Humbug! (0)

Anonymous Coward | more than 7 years ago | (#19011449)

When I was your age, we had to change our passwords twice a week, and we damn well liked it that way!

Re:No way. (2, Insightful)

cp.tar (871488) | more than 7 years ago | (#19011021)

Now those are people who do not understand the way people think. Mathematicians, not psychologists.

And they are the reason social engineering works so well.

People like having one, maybe two or three passwords.
So instead of making them change passwords regularly (and do note the analogy of having to change your front door lock every two months!), make them create one relatively secure password and drill them to memorize it, never, ever reveal it to anyone and never ever write it down.

Changing passwords does not affect their crackability in any way, anyway... it is a random security layer which can close the door to someone who has already cracked the old one, in which case your security sucks anyhow.

Re:No way. (1)

Tim C (15259) | more than 7 years ago | (#19010419)

Given that I saw exactly this behaviour on a Solaris 8 install at work a few months ago, no, I completely believe it.

Of course, *then* I was shocked...

Same as in Linux (0, Interesting)

Anonymous Coward | more than 7 years ago | (#19010115)

"the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."

So that's the same as in most (all?) Linux distributions by default.

Re:Same as in Linux (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19010303)

> So that's the same as in most (all?) Linux distributions by default.

Was that a question or a statement?

No linux distro that I have used in the past 8 years hashes only the leading 8 chars of a pass phrase. Even so a strong 8 char password is still a strong password (eg: *_Jilt3d) or even better with non-printable chars.

Re:Same as in Linux (1, Insightful)

Bastard of Subhumani (827601) | more than 7 years ago | (#19010377)

Even so a strong 8 char password is still a strong password (eg: *_Jilt3d)
It isn't if you're relying on the part after the eighth character to make it strong and the system is silently ignoring that part.

Re:Same as in Linux (2, Funny)

Anonymous Coward | more than 7 years ago | (#19010867)

Well, a strong 8 char password cannot be "relying on the part after the eighth character to make it strong", as it only has 8 characters.

Re:Same as in Linux (0)

Anonymous Coward | more than 7 years ago | (#19010391)

A statement, but I wasn't sure if all distributions are like this, hence the question mark. Anyway I have seen this behaviour not very long ago in either SuSE or Ubuntu.

Re:Same as in Linux (2, Funny)

ettlz (639203) | more than 7 years ago | (#19010453)

still a strong password (eg: *_Jilt3d)
Trying to tell us something?

Re:Same as in Linux (1)

zippthorne (748122) | more than 7 years ago | (#19011323)

You're calling a 1337 5P34K word with two ascii characters tacked on to the beginning, "strong"? Yeah, I'm sure no one doing dictionary attacks has a leet word file.

If you want a secure 8-character password, use something like,

dd if=/dev/random bs=1 count=50 | strings -n 1 | tr -d "[:cntrl:]" | sed "s/(.{8}).*/\1/"
which yielded, b&9y@)HN just now. Humans are lousy password pickers, because we automatically patternize everything we see or create.

or better yet, tell strings to pick out 8-bit characters, too and get something like: ,Mu--xÝZÀ

although that and non-printable are probably not the greatest of ideas, because they're usually non-typable (or at best typrobatic) too.

Re:Same as in Linux (2, Informative)

julesh (229690) | more than 7 years ago | (#19010527)

So that's the same as in most (all?) Linux distributions by default.

Not since some time around 2000 when all of the major distributions switched from DES to MD5 authentication. Some major Unix vendors do still have the issue, though.

Standard crypt problem (5, Interesting)

AEton (654737) | more than 7 years ago | (#19010127)

This is not that unusual.

We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.

We realized something was wrong when someone noticed that all the password hashes were the same.

(The fix: find a new better hash function.)

Re:Standard crypt problem (1, Redundant)

Alioth (221270) | more than 7 years ago | (#19010279)

Not only that, it either didn't have a salt or the salt was invariant.

Re:Standard crypt problem (3, Funny)

dohzer (867770) | more than 7 years ago | (#19010459)

My recipe for hash definitely uses salt.

http://www.mspong.org/cyclopedia/cookery.html#hash ed_beef [mspong.org]

Re:Standard crypt problem (0)

Anonymous Coward | more than 7 years ago | (#19010561)

My recipe for hash definitely uses a sieve - unless you have a pollenator.

"its funny, laugh" (0, Offtopic)

nurb432 (527695) | more than 7 years ago | (#19010147)

I think this got mis-categorized.

That's YOUR password? (1)

martyb (196687) | more than 7 years ago | (#19010149)

"Me too!" :^)

Re:That's YOUR password? (4, Funny)

Jim Hall (2985) | more than 7 years ago | (#19010399)

That's ok, I logged in and changed it for you. :-)

Spelling (2, Informative)

daybot (911557) | more than 7 years ago | (#19010165)

No, whats really embarrassing is mis-spelling that very word in the title of a Slashdot article

Re:Spelling (4, Funny)

Hebbinator (1001954) | more than 7 years ago | (#19010657)

Gotta get a spell check.

I spent all day yesterday giggling at "eLfavirenz" (its efavirenz- no L). While HIV/AIDS is far from a humorous disease, images of brazilian midgets with big ears and curl-toed shoes sneaking around with big bottles of pirated protease inhibitors kept jumping in my head.

For a second treat, google ELFavirenz and see the 260+ web sites that took the exact same text and put it up after /.'s error!

Ahh fixed the summary... (4, Funny)

The Living Fractal (162153) | more than 7 years ago | (#19010177)

Well, it turns out that when someone signs up for an AOL.com account, the user has sold their digital soul to Satan.


I *still* cringe to this day when someone asks for computer help and it starts out with "Well, when I log on to my AOL..."

TLF

Luggage... (0, Funny)

Anonymous Coward | more than 7 years ago | (#19010181)

"password123"

That's the same password I use on my luggage!

I guess this means that AOL has gone from "sucks" to "blows"?

Even better (5, Interesting)

AndrewM1 (648443) | more than 7 years ago | (#19010219)

I can do this one better. I signed up for some game known as MapleStory a while back, submitting the password "DaedAEcarECel40s".

I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.

In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.

Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...

Re:Even better (0)

Anonymous Coward | more than 7 years ago | (#19010271)

It's the same thing with msn messenger. sign up with a really long password, and you're locked out.

Re:Even better (2, Funny)

Anonymous Coward | more than 7 years ago | (#19010335)

> It's the same thing with msn messenger. sign up with a really
> long password, and you're locked out.

But surely that's a good thing?

Re:Even better (1)

db32 (862117) | more than 7 years ago | (#19010835)

I really hope you don't use this password anywhere else. In fact I am curious to see how many people just tried to log into your slashdot account using that password. Maybe even hitting the MapleStory site just for a few random attempts as well :)

Re:Even better (1)

rriven (737681) | more than 7 years ago | (#19010951)

My bank did the same thing (USAA). They kept posting on their webiste they were upgrading the security so figuried it would be a good time to change ny password to a 14 char/digit/symbols.

I could not log in that day and I didn't have time to call their support line. The very next day when I tried it I noticed that they put a length restriction on the password box of 12 and then I could log in.

When they "upgraded" their security the backed cut everyones password down to 12 but the web form still let you put in 20 chars. I am just glad they fixed it in one day.

Re:Even better (1)

that this is not und (1026860) | more than 7 years ago | (#19011067)

I had something like this, only with my username, happen on Freeshell. I established my account but set it up with a nine-character username. The first time after setting it up (after sending in the registration info to get a 'full' Freeshell account) I tried logging in. It wouldn't accept the username until I truncated it to the first eight characters. I got pretty frantic for a few weeks before figuring this out. Freeshell runs on NetBSD.

Radius? (3, Interesting)

cluge (114877) | more than 7 years ago | (#19010221)

I believe the original RFC for radius only looked at the first 8 characters. It would not surprise me if AOL was using a tried and proven radius solution, and never bothered to update. I'd be interested to know the results if one was to choose a long password and then

1. Log into AOL and only use the first 8 characters
2. Log into the AOL webmail and only use the first 8 characters.

This may indicate if the limitation is the sign in solution, or the entire userdb backend.

cluge

Re:Radius? (2, Interesting)

juggler314 (556575) | more than 7 years ago | (#19010295)

Man I noticed this years ago, wish I had thought it was important enough to write up about then maybe I could have had my own slashdot posting!

(and yes that...sickeningly...means I actually used AOL for some time...)

I had a problem logging in to the AOL webmail because it *does not* truncate to the first 8 characters and I *thought* my password was longer than 8. Thus logging into the AOL app worked fine, but I had to manually truncate to 8 characters to get webmail working.

I thought it was a problem on my end so I IM'd support. After a few painful minutes of trying to work with that moron I figured out what it was...and suggested they add it to their help notes for the next time someone calls in on it.

Re:Radius? (2, Informative)

Ziwcam (766621) | more than 7 years ago | (#19010721)

1. Log into AOL and only use the first 8 characters

My AOL password happens to be exactly 8 characters long. When I tried salting it with asdf afterwards, the OS X AOL client (which I havn't opened in a year, mind you :-) will not accept characters after the 8th.

2. Log into the AOL webmail and only use the first 8 characters.

In this case, salting with asdfasdfasdf results in an error saying the password must be 16 characters or less, so salting it with asdfasdf (making the attempted password exactly 16 characters) I'm still allowed to log in, even though my true password doesn't contain the asdf's, and is only 8 characters long.

Its actually worse than that (5, Interesting)

imunfair (877689) | more than 7 years ago | (#19010231)

It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.

They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.

If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ [tsourceweb.com] - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway ;)

Re:Its actually worse than that (2, Insightful)

bot24 (771104) | more than 7 years ago | (#19010827)

The stored password in the registry cannot be a hash unless the authentication system on the remote end will accept the hash in place of the actual password, which is only marginally better than storing the password in plain text. Without some keychain system, the password cannot be encrypted and then decrypted again unless the decryption key is accessible to the user or the key is stored on the server, meaning that you only need the "encrypted" password to authenticate yourself. Depending on how the password is encrypted, the new password storage system could be worse than the old one.

Worse than it sounds? (2, Informative)

Jugalator (259273) | more than 7 years ago | (#19010245)

For random passwords, I guess 8 characters are still OK, but it's worse if you pick "smart" combinations of words and numbers, like "computers4life" or "jennifer2007". With dictionary attacks adapted for these lengths, they'd only need to check for the first 8 and it would be "computer" and "jennifer" in this case. If you further adapt the attack to only look for e.g. ratios of 4:4 with first 4 being a word and remaining 4 being random, and so on for 5:3, 6:2, 7:1, and 8:0, you also catch circumstances where users have picked passwords like "love4u2007", which would be caught in the "4:4" attack as "love" + "4u20". Maybe that's still secure enough, but this sounds a bit risky when using word passwords, even when mixing with numbers to avoid dictionary attacks, especially with this limitation.

same thing at UC (1)

legoman666 (1098377) | more than 7 years ago | (#19010247)

I got to the University of Cincinnati in Ohio and I noticed this same problem. Anything after the first 8 digits of the password is ignored. So "lawlpewpew" is the same thing as "lawlpewpewLAZERBEAM". I emailed the IT tech support people asking them about it, but all I got in reply was some default, automated response. In the end, they didn't do anything to fix it either.

This is AOL we're talkikng about... (4, Insightful)

ZeldorBlat (107799) | more than 7 years ago | (#19010357)

Do you really think the type of people who use AOL would use a password longer than eight characters anyway?

dic0K (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19010423)

than this BSD boX, could save it good manners to place a paper with the laundry Niggerness? And tops responsibility sorely diminished. another charnel Yes, I work for

At a certain university, (1)

MulluskO (305219) | more than 7 years ago | (#19010425)

At a certain university, this was also the case.

The flaw in question seemed to apply only to a web mail client which they are in the process of phasing out in favor of an open source solution, which is pretty interesting because it's the first I've seen which has support for S/MIME.

Presumably, the older system will be brought off line soon, as the flaw has been known for some time.
When signing on in front of people who didn't know about the flaw, it was fun to make them think you had a password in excess of thirty characters.

AIX (4, Interesting)

Sp00nMan (199816) | more than 7 years ago | (#19010449)

The latest AIX 5.3 has this same stupid limitation too. It's driving us nuts at work cause we authenticate to Active Directory which supports long passwords, but AIX only cares about the first 8. Ridiculous.. We had to purchase SpecOps and force AD to limit to max of 8 so that users would be forced to have a unique password everytime. We contacted IBM and they said they had no plans on fixing this.

Re:AIX (1)

1s44c (552956) | more than 7 years ago | (#19010577)


You could always fix your pam stack instead of adding limitations to AD.

This is... (0)

Anonymous Coward | more than 7 years ago | (#19010483)

...exactly what I thought was happening all along. I've only recently broken free of AOL Dialup and Broadband, and I suspected that this sort of problem was at hand. Is AOL working on fixing this at all? It'd be good to know.

Found this last year. (2, Informative)

BrianRagle (1016523) | more than 7 years ago | (#19010511)

I believe I encountered this last year when I was trying to set my wife's AIM account up on her iChat client. She has been typing the long version of her pass into the AIM client, which apparently wasn't reading past those first 8 characters. When we tried it in the iChat client, it kept spitting it back out as being incorrect. We eventually had to change her pass to a shorter one to get it to work.

DES passwords (0, Troll)

1s44c (552956) | more than 7 years ago | (#19010547)

The fact that DES passwords are 8 characters long and anything over the first 8 is silently ignored is well known.

Am I alone here in remembering the old slashdot? It used to be IT stories for IT professionals and hobbyists. Now it's dumbed down stories for help desk wannabes.

Whats next? A story on how the letters look weird with the caps lock on?

Re:DES passwords (1)

Calydor (739835) | more than 7 years ago | (#19010651)

Don't you mean they look weird with Caps Lock off? ;-)

Re:DES passwords (1)

that this is not und (1026860) | more than 7 years ago | (#19011119)

No, what I mean is it doesn't matter, since I usually read Slashdot from a csh session running Lynx on my Lear-Siegler ADM3, which has it's dip switches set to force everything to ALL CAPS all the time.

Today, of course, I'm on the Silent 700 terminal and cursing everbody with those paper-wasting SIGs in their comments.

Here's Why (1)

N8F8 (4562) | more than 7 years ago | (#19010551)

AOL management must make the same assumptions about AOL hackers that the rest of us do about AOL users.

Re:Here's Why (1)

InsMonkey (324276) | more than 7 years ago | (#19011051)

No, they already know that our assumptions about AOL users are correct and they are making money off of that knowledge.

AOL should upgrade their Linux servers (1)

reybrujo (177253) | more than 7 years ago | (#19010603)

At school, back in 1998, every Linux distro we installed used to have that limitation, a limitation in the encryption routine, and a rationale something like a longer password being easier to crack. It would not surprise me if AOL were still using Slackware 2.0 ;-)

Re:AOL should upgrade their Linux servers (1)

ivan256 (17499) | more than 7 years ago | (#19010705)

a rationale something like a longer password being easier to crack.


The rationale was compatibility with other UNIX-like systems, but it went away when MD5 hashing became popular and PAM was introduced. By 1998 most Linux distributions had already switched (but probably not Slackware). The rest all had it as an option. If you have a linux system today that you've upgraded repeatedly since back then (or kept the passwd/shadow files), you probably *still* have the limitation unless you forced your existing users to change their password.

adventure games (0)

Anonymous Coward | more than 7 years ago | (#19010609)

I seem to recall several adventure games from back in the day (Sierra and/or Infocom, IIRC) had a similar parsing problem with text commands. Of course, they weren't nearly as severe as this password problem. And in fact, if you knew about them, they made typing things in a whole lot easier...

Mitch Hedberg (5, Funny)

Himring (646324) | more than 7 years ago | (#19010643)

Reminds me of that Mitch Hedberg joke:

"You know when a company wants to use letters in their phone number, but often they'll use too many letters? 'Call 1-800-I-Really-Enjoy-Brand-New-Carpeting.' Too many letters, man, must I dial them all? 'Hello? Hold on, man, I'm only on "Enjoy." How did you know I was calling? You're good, I can see why they hired you!'"

RIP Mitch

mod parent up (0)

Anonymous Coward | more than 7 years ago | (#19010825)

It's for a duck!

Same goes for cbb.dk :( (1)

mutende (13564) | more than 7 years ago | (#19010681)

This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password.
The same thing goes for the Danish mobile operator CBB [cbb.dk] . :(

Flat Out Wrong - Read (4, Informative)

madsheep (984404) | more than 7 years ago | (#19010699)

First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.

br/>
A few test cases to pay attention to:

1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&n cid=AOLAOF00020000000602 [aol.com]

Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.

What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.

They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.

Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?

These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.

Chew on that. Steven :)

Re:Flat Out Wrong - Read (1)

The MAZZTer (911996) | more than 7 years ago | (#19010887)

1) Sign up for an AOL mail account

Just be warned if you decide to abort partway through the process (I was desperate for free internet access, but not enough to give up my CC info) they will STILL KEEP THE INFORMATION YOU ENTER. I got a phone call several days later from a rep with a sales pitch.

Although this was 3 years ago I don't think they'll have changed it...

Re:Flat Out Wrong - Read (1)

jmauro (32523) | more than 7 years ago | (#19011355)

Have you considered that AIM uses a different password system than AOL Dialup? That way your AIM would still work, but AOL proper wouldn't.

Embarrassing?! (3, Insightful)

morari (1080535) | more than 7 years ago | (#19010701)

What exactly about AOL isn't embarrassing?

MySpace (1)

JJJJust (908929) | more than 7 years ago | (#19010895)

MySpace has this same defect/error/bug/"feature for the young memory deficient" as well... Their passwords aren't case sensitive and only read X characters no matter how many you type... And you wonder why people are always being phished/hacked...

myspace (0)

Anonymous Coward | more than 7 years ago | (#19010921)

i've seen the same sorta thing with myspace,
one my pass was autofilled, then i typed it a second time after and hit enter.
i got in fine.

VNC too (1)

semifamous (231316) | more than 7 years ago | (#19011053)

I wish someone would fix that issue in VNC so that it required more than eight characters. That seems especially bad and worth fixing, but nobody has done it yet.

Please, if the slashdot community is going to complain about how stupid password limits are, can someone fix the open source projects that have the same issue so that we can't point and laugh at that too?

So, now we can't count? (-1, Redundant)

Ralph Spoilsport (673134) | more than 7 years ago | (#19011055)

This means that a user who uses "password123" or any other obvious eight-character password

Any OTHER 8 char password? "password123" is an 11 char password. Duh. How did this get past the editors? Oh, never mind.

RS

Re:So, now we can't count? (2, Insightful)

FishWithAHammer (957772) | more than 7 years ago | (#19011303)

You're an idiot. 'password', the eight-character segment that actually counts, is extremely common.

Re:So, now we can't count? (1)

someone1234 (830754) | more than 7 years ago | (#19011345)

Any obvious 8 character password [plus arbitrary crap]. Please notice that 'password' is 8 characters. Are you really so dense or just picking nit?

Thank you /. (2, Interesting)

g0dsp33d (849253) | more than 7 years ago | (#19011305)

Hello, this is AOL tech support... we have lost our database for user names, your account will not function unless you give us your account name and the first 8 letters of your password for confirmation... Maybe I'll ask for credit cards too...

VNC... (2, Interesting)

NNland (110498) | more than 7 years ago | (#19011459)

Official versions of VNC from AT&T and later RealVNC had similar password limitations, though I can't remember if it was 7 or 8 characters. All I know is that it gave me a good reason to switch to UltraVNC, which used the native login API on whatever OS it was running.

uhm. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19011479)

I've had an aol account since the mid ninties, I don't really use it anymore, but the password's only 4 characters.

I wonder how many other people have 'older' aol accounts and haven't changed their passwords.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...