Brian Krebs posted AOL's Password Puzzler on his Security Fix Blog yesterday May 5th. In short even though AOL allows passwords up to 16 characters it *only* uses the first 8 characters. I'll be the first to admit that there are other systems that have an 8 character limit, but these are well known and documented. *Not hidden away*!
As Brian points out in his post people have a habit of using their names as their password, but may add some extra characters on the end such as:
- tomsmith1
- tomsmith#1
- tomsmithGr81
Even with a more complex password it is considerably less time consuming to break an 8 character password than a 16 character one. As far as I know all, non dictionary, brute force implementations of password crackers sequentially add characters to their attempts. In other words trying to break an password that is 2-16 characters will first try all 2 character combinations then move on to 3 characters...
AOL is a big company and a fix for this will take time. Even if AOL could change it tomorrow how many people would be locked out of their account? Consider anyone with a password longer than 8 characters trying to login would fail since only 8 characters are stored... I suspect the fix will be a new implementation of the password back-end and a new front-end to migrate users to the new infrastructure, but only time will tell.
UPDATE: In case anyone is looking for information on good password generation/selection or password tools I did a couple of previous posts on these: Anatomy of a Password and Password Tools. All of my posts on passwords, including this one. are here.
No comments:
Post a Comment