Sunday, May 6, 2007

AOL Password Warning: Time to Change Your Password?

I try to avoid posting what everyone else is posting, but this case is special. Due to the number of AOL users I'm going to post this brief message and link to the original post.

Brian Krebs posted AOL's Password Puzzler on his Security Fix Blog yesterday May 5th. In short even though AOL allows passwords up to 16 characters it *only* uses the first 8 characters. I'll be the first to admit that there are other systems that have an 8 character limit, but these are well known and documented. *Not hidden away*!

As Brian points out in his post people have a habit of using their names as their password, but may add some extra characters on the end such as:
  • tomsmith1
  • tomsmith#1
  • tomsmithGr81
Simply typing in tomsmith will work without a complaint.

Even with a more complex password it is considerably less time consuming to break an 8 character password than a 16 character one. As far as I know all, non dictionary, brute force implementations of password crackers sequentially add characters to their attempts. In other words trying to break an password that is 2-16 characters will first try all 2 character combinations then move on to 3 characters...

AOL is a big company and a fix for this will take time. Even if AOL could change it tomorrow how many people would be locked out of their account? Consider anyone with a password longer than 8 characters trying to login would fail since only 8 characters are stored... I suspect the fix will be a new implementation of the password back-end and a new front-end to migrate users to the new infrastructure, but only time will tell.

UPDATE: In case anyone is looking for information on good password generation/selection or password tools I did a couple of previous posts on these: Anatomy of a Password and Password Tools. All of my posts on passwords, including this one. are here.

No comments: