Network News

X My Profile
View More Activity

AOL's Password Puzzler

A reader wrote in Friday with an interesting observation: When he went to access his AOL.com account, he accidentally entered an extra character at the end of his password. But that didn't stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.

It turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters.

How is this a bad set-up, security-wise? Well, let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob -- thinking himself very clever -- sets his password to be BobJones$4e?0. Now, if Bob's co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob's user name, since people are lazy and often use their user name as their password.

And she'd be right, in this case, because even though Bob thinks he created a pretty solid 13-character password -- complete with numerals, non-standard characters, and letters -- the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this: The AOL system also will just as happily accept BobJones for his password as it will BobJones$4e?0 (or BobJones + anything else, for that matter).

AOL spokesman Andrew Weinstein said the company was looking into the matter, but didn't have any comment beyond that.

Bruce Schneier, chief technology officer BT Counterpane, called the set-up "sloppy and stupid."

"Truncating the password at eight characters is a big deal, and there's no excuse for any company in today's world to be doing that," Schneier said. "Especially because AOL has...shall we say, some less sophisticated users. Those users need all the help they can get when it comes to choosing a password, and to artificially penalize them in secret for choosing long passwords seems like a bad thing."

By Brian Krebs  |  May 5, 2007; 6:35 PM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Federal Data Breach Bills Clear Senate Panel
Next: Patch Tuesday Plugs 19 Microsoft Security Holes

Comments

Ugh, AOL needs to go away. How lame. I'm glad you've called them on this and hope bigger media outlets pick up the story and make AOL look really really bad.

Posted by: A | May 5, 2007 7:39 PM | Report abuse

Amazon.com does the same thing, last time I checked.

Posted by: William | May 5, 2007 9:58 PM | Report abuse

Most enterprise versions of unix still have this issue. A hang over from the 1960s.
So, I would not be surprised if the AOL password server is a unix machine.
Either way, unix providers need to resolve this issue.

Posted by: neil mccoy | May 6, 2007 2:53 AM | Report abuse

This is pretty much a textbook example of how not to design a password system. How embarassing for AOL to be caught implementing such an egregious design flaw that even today's undergrad computer science majors know how to avoid.

Posted by: Jen | May 6, 2007 4:40 AM | Report abuse

Here is another issue. Your passwords are not case sensitive either :)

Posted by: John Doe | May 6, 2007 9:52 AM | Report abuse

AOL may have terrible security for its users, but it has excellent security re spam - it considers all incoming mail spam. I do not have AOL, rather I use Comcast broadband. Frequently, when attempting to mail to friends and family who are AOL users, my mail bounces back - server problems or somesuch. Since I am usually writing to my son, I don't think he looks upon me as 'spam' - he'd better not! I have tried several times to get him to change his ISP, but he is an old sot and won't move willingly.

Posted by: Nancy | May 6, 2007 9:53 AM | Report abuse

if your original password is: Atlas1963
and you enter At**las1963, it will let you in also. aol's password system is a joke.

Posted by: dissapointed | May 6, 2007 10:29 AM | Report abuse

Are you sure it's eight characters? I have an 8 character password for my free AOL mail account and I once entered six characters and accidentally hit enter and was allowed in.

I just did again, entered the first 6 characters of my 8 character password, and was allowed in.

Not good...

Posted by: Paul | May 6, 2007 10:39 AM | Report abuse

Has anyone actually tried checking if AOL's password authentication system is as bad as described in this artice?

I tried it and with an extended password, AOL did not let me sign in.

Posted by: Kaushik A | May 6, 2007 10:54 AM | Report abuse

TIAA-CREF's password system had (has?) a similar flaw.

Posted by: Duke | May 6, 2007 11:06 AM | Report abuse

This has been an issue since day one. Other than Brian doing alot of hand-waving, this is not new.

AOL restricts passwords for anything that plugs into its old, traditional AOL backend for authentication (versus AIM/ICQ). Length is limited, *plus* passwords are "normalized" by removing non-alphanumerics and shifting everything to all one case (can't recall if it's upper or lower -- likely upper). The "client libraries" (front ends) perform the normalization since the backend has historical not known what to do (yet another bad design?). What I mean by this is that the traditional AOL heavy client is the piece that normalized the password at each authentication before sending it to the backend.

Other interesting fallout comes when you consider that your AIM and AOL passwords can differ. If a user changes one but not the other, it can lead to confusion at best, or a misplaced sense of security at worst.

Posted by: Anonymous | May 6, 2007 11:11 AM | Report abuse

Unix systems do not have only 8 character passwords. Most Linux distros, and Unix versions allow you a choice in what you use for password encryption. Almost all default to MD5 encryption which allows very long passwords and non-alphanumeric characters.

To say that all Unix's only have 8 digit passwords is simply wrong. If your does, then you are running on EXTREMELY old hardware/software that is likely not updated, so the password is the least of your concerns.

Posted by: Unix Guy | May 6, 2007 11:56 AM | Report abuse

I think the above post mirrors some of what I was just saying on Slashdot. It is password limitation and not so much a security issue in my opinion. If you have an AIM only account, you can create a password up to 16 characters and you cannot login without typing that exact password. Nothing more and nothing less. If you have something ties back into their AOL-service or mail-only, it limits you to 6-8 characters.

Guess what though? It does not just limit you to 6-8 characters. It limits you to just 6-8 alphanumeric lowercase characters. If you choose an uppercase letter, it defaults to accepting lowercase in its place. It also won't take special characters. Your possibly password set is 6-8 characters of [a-z][0-9]. Now there's your security issue, sort of. If people think they are getting something more then it's an issue, if they know what they are getting it is not.

Posted by: Steven Adair [securityzone.org] | May 6, 2007 11:58 AM | Report abuse

This seriously isn't news, it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords.

If there's anywhere on this website that relies on "basic auth" login, it too will have the same flaw.

And constructing a password that consists of an "easy bit" and a "difficult bit" is, umm, contrived and stupid. Just include the "difficult bit" yes?

That said, there are more recent password encryption schemes used by most major OSes since the mid-90s (when this issue was first taken seriously), one can only assume AOL needs to maintain backwards compatability with old passwords and can't migrate to the new methods easily.

Posted by: Sam | May 6, 2007 12:00 PM | Report abuse

Sam> This seriously isn't news, it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords.

This would only be relevant if people were logging in to an old system that relies on crypt(), and even then, as others have pointed out, AOL's system strips non-alphanumerics and normalizes case first, which crypt() does not. Obviously AOL is not the least bit constrained by crypt() when implementing their authentication system, yet they managed to devise something far worse than crypt().

Sam> That said, there are more recent password encryption schemes used by most major OSes since the mid-90s (when this issue was first taken seriously), one can only assume AOL needs to maintain backwards compatability with old passwords and can't migrate to the new methods easily.

Even if AOL only maintains digests of their passwords there are multiple methods by which they could recover the original passwords and generate new digests. Given the limitations on the password set already documented here, even brute force recovery is feasible.

Posted by: antibozo | May 6, 2007 1:02 PM | Report abuse

Is there anything AOL can't do wrong?

Posted by: Mike. | May 6, 2007 2:06 PM | Report abuse

antibozo> Given the limitations on the password set already documented here, even brute force recovery is feasible.

Actually, the limitations make brute force _recovery_ impossible, whereas without the limitations it would just be (extremely) unlikely.

All that's stored is the hash. So ~Bob%Jones#79WOOT, after being stripped of specials and truncated to 8 characters, becomes bobjones. Now, even if you manage to brute force that, if you generate a new hash and then stop truncating, he'll have to know to type in bobjones... nothing else will work any more (unless you manage to find a hash collision).

This isn't something AOL could do and not notify customers. If they don't have the plaintext password stored somewhere, before truncation, they'll have to generate new passwords for every customer, and somehow let them know the new password without making even the smallest security mistake, since they'll be watched like hawks while they do it, and all of their ... less sophisticated ... users will suddenly know that AOL is insecure, and jump ship.

Posted by: Dave | May 6, 2007 2:10 PM | Report abuse

AAOL is an easy target because they're big and have a long track record of doing really stupid things.
If they're security is this lax, I wonder what other even bigger organization with an even longer record of bigger and more disasterous stupid things, the U. S. Government has lurking on its thousands of systems.

How much of your personal information is sitting right now on a government computer protected by truncated passwords, no passwords, or even worse, sitting unencrypted on a laptop waiting to be stolen or lost?

We see almost daily accounts of companies or government organizations losing vast amounts of personal data. Identity theft is rising at a geometric rate. What will it take before people start implementing even the most fundamental security practices?

Knowing our society and our government, probably a catastophe of epic proportions...


Posted by: Rick Gutleber | May 6, 2007 2:48 PM | Report abuse

Dave> Actually, the limitations make brute force _recovery_ impossible,

That's a good point. I was forgetting that they were hashing after lossy reduction. Nonetheless, users could be informed that their passwords have the reduced form, and how to find it, until they set a new one. Naturally this would be beyond the ability of many AOL users...

Dave> without the limitations it would just be (extremely) unlikely.

If the password space is limited (with the user's knowledge) to This isn't something AOL could do and not notify customers. If they don't have the plaintext password stored somewhere, before truncation, they'll have to generate new passwords for every customer

Not true. They have control of the authentication when it happens, and thus they have the ability to inspect the plaintext password when it is presented as part of that process. Their authentication system can have two digest formats. When the user authenticates, if the old format is present, the plaintext password can then be rehashed and stored in the new format.

Posted by: antibozo | May 6, 2007 6:42 PM | Report abuse

Something must be broken. A part of my last post was elided by the posting system (how ironic). Here it is again:

Dave> Actually, the limitations make brute force _recovery_ impossible,

That's a good point. I was forgetting that they were hashing after lossy reduction. Nonetheless, users could be informed that their passwords have the reduced form, and how to find it, until they set a new one. Naturally this would be beyond the ability of many AOL users...

Dave> without the limitations it would just be (extremely) unlikely.

If the password space is limited (with the user's knowledge) to This isn't something AOL could do and not notify customers. If they don't have the plaintext password stored somewhere, before truncation, they'll have to generate new passwords for every customer

Not true. They have control of the authentication when it happens, and thus they have the ability to inspect the plaintext password when it is presented as part of that process. Their authentication system can have two digest formats. When the user authenticates, if the old format is present, the plaintext password can then be rehashed and stored in the new format.

Posted by: antibozo | May 6, 2007 6:47 PM | Report abuse

Weird. It happened again. Maybe it has something to do with the string 32[caret]8 as the paragraph containing that string has been truncated both times.

Let's see: 32^8 did this get truncated?

The next paragraph.

Posted by: antibozo | May 6, 2007 6:49 PM | Report abuse

Trying yet again. Actually it was a less-than sign that broke things; the system ate everything to the next greater-than sign, apparently thinking it was removing an HTML tag. Brian, if you don't mind, please delete the garbled posts above...

Dave> Actually, the limitations make brute force _recovery_ impossible,

That's a good point. I was forgetting that they were hashing after lossy reduction. Nonetheless, users could be informed that their passwords have the reduced form, and how to find it, until they set a new one. Naturally this would be beyond the ability of many AOL users...

Dave> without the limitations it would just be (extremely) unlikely.

If the password space is limited (with the user's knowledge) to 8 or fewer alphanumeric characters in one case, a brute force enumeration would take about 33 days at one million passwords per second. This is clearly not extremely unlikely.

Dave> This isn't something AOL could do and not notify customers. If they don't have the plaintext password stored somewhere, before truncation, they'll have to generate new passwords for every customer

Not true. They have control of the authentication when it happens, and thus they have the ability to inspect the plaintext password when it is presented as part of that process. Their authentication system can have two digest formats. When the user authenticates, if the old format is present, the plaintext password can then be rehashed and stored in the new format.

Posted by: antibozo | May 6, 2007 6:54 PM | Report abuse

This in an AOL account people, and it seems like
it's a well known limitation. You might as well
ring alarm bells over plain text POP3
authentication at ISPs. No one cares. AOL is a
big fat target, it receives tons of bad publicity
as everyone's favourite whipping boy, but people
need to get a life here. I can think of a bunch
of fun 90s style "security flaws" to get everyone
all riled up, but like a previous comment said,
it's not new, and it's not news.

Posted by: Stefan Caunter | May 6, 2007 7:33 PM | Report abuse

This is quite a bit easier to fix than that.

Next time a user with a reduced-strength password logs in with something which matches what's stored when processed through the weak hash, you generate a strong hash based on the plaintext which went through the weak hash correctly. If you want to guard against once-off typos, you store both weak and strong hashes until a value matching the same strong hash is entered twice in a row.

The only users who will have only weak-hashed passwords after this has been implemented for a while are folks who haven't logged in.

(And *modern* Unix systems, commercial or otherwise, haven't used crypt() for passwords in a bloody long time; indeed, the password hashing used by Windows was for a very long time much easier to crack than a modern Unix password database; the latter support MD5 and SHA1, both widely accepted and thoroughly peer-reviewed secure hash algorithms).

Posted by: Charles Duffy | May 6, 2007 9:15 PM | Report abuse

The fact that it isn't new MAKES it news. The answer to the question, "Is there anything AOL can't do wrong?": Apparently, blowing smoke is something they've aced. No other application company (this excludes the best-known OS maker) can pull off flat-out lies about how secure it is, and get away with it.

Posted by: A fan | May 7, 2007 3:51 AM | Report abuse

Ha - Discover (www.discovercard.com) does the same thing - they accept many more characters than are significant. Looks like only 8 are kept.

Posted by: Harry | May 7, 2007 9:18 AM | Report abuse

It all boils down to making it easy for Grandma to use AOL and NOT call the Indian Customer Service Department every 20 minutes.

This was probably done on purpose.

But as of today, AOL still has the easiest to use email system.

Posted by: Josh | May 7, 2007 10:47 AM | Report abuse

I'm willing to put up money that over 50% of the major ISP's in the world suffer from this exact same issue (this is based on firsthand industry knowledge, not a guess).

Posted by: Doug | May 7, 2007 11:05 AM | Report abuse

This is also true for AOL Mac OS X client software - it only accepts first 8 characters on the screen with black dots. Anything above 8 characters will not show on screen.

Posted by: Cary | May 7, 2007 11:52 AM | Report abuse

A lot of these comments make the problem sound more complicated than it is. Say a service started out many years ago with an 8 character limit for whatever reason, and out of its millions of users a few thousand get used to typing in a couple extra characters which get truncated. Then if the limit gets raised, those users suddenly can't log in. Business decision: do we make those users change, or does the system keep acting the same as always? What if those users represent some of your best customers? The right security decision is obvious to us but not necessarily to the decision makers. BTW, this is NOT limited to Unix.

Posted by: Mike R | May 7, 2007 1:58 PM | Report abuse

re the post: "This seriously isn't news, it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords."

Um, we're talking AOL users here. Folks who have to be explained where the BACKslash is on the keyboard.

Unfortunately they don't have the default smug personalities assigned to most Unix geeks that allow them to recall this most important and apparently trivial bit of information.

Posted by: Whahdidhesay? | May 7, 2007 4:39 PM | Report abuse

Charles Duffy you are right on. The next time a "non-upgraded" user logs in just confirm the weak hash (as usual). At this point, either ask the user to confirm his password again or request he change it, perhaps because it has expired. Now resave the new "full" password as encrypted or a strong hash. Mark as "upgraded" in the db so we never have to embarrass ourselves with this user again. Repeat as necessary. AOL pay attention: valuable pearls here.

Posted by: Devan | May 7, 2007 4:52 PM | Report abuse

Ironically, back in the early 90s I used non alphanumeric characters in my AOL password (stuff like $%&*) and these were sort of forcibly removed in (I think, it was a while ago) AOL 5.0. When you type in a password as these, it doesn't even acknowledge them as a keystroke. This is really, really longstanding, at least 10 years, so I don't know how it exactly qualifies as news.

The real issue arises when you are fiddling with both your AIM password (which can be up to 16 characters) and your AOL password (which can be 8 characters). Most people don't distinguish between the two, which leads to this problem. The answer is to use a complex password from the start, not rely on a "hard to guess" part at the end, and to actually read the password requirements at the change password screen.

Posted by: skye | May 7, 2007 7:41 PM | Report abuse

AOL has begun to fall apart as a business model, and if survival of the fittest is a valid law, it will disappear entirely. Other companies take heed, gearing your software to the lowest intellect possible only means the only users left using your services are idiots.

Posted by: RichMcCrea | May 7, 2007 7:43 PM | Report abuse

Brian,

I've been warning my clients for years about the 8 character password limit at AOL. I can't believe that AOL increased the HTML input field for their password prompt to 16 characters without expanding the password size limit system wide.

And it is true that the special characters are stripped off to arrive at a clean character/numeric value for hashing.

Earthlink has the same 8 character limit, but character stripping is not a factor with their system.

Posted by: Michael at ATC | May 7, 2007 8:05 PM | Report abuse

How can AOL have such a nasty authentication system. Wonder how they got into IT

Posted by: Frenz | May 8, 2007 7:46 AM | Report abuse

I have changed my AOL password a while back from a 6 character to an 8 character and it will actually still allow me to sign under both.

Posted by: Mw | May 8, 2007 9:18 AM | Report abuse

It should be noted that the issue here isn't that they only allow for 8 characters but that they truncate extra characters. If they were just straight forward and told people that they only have the ability to enter 8 lower case alpha numeric characters they could make a more solid password than what was presented in the example. It isn't about their security system its about their business practices.

Posted by: Jeremy | May 8, 2007 9:59 AM | Report abuse

AAHHHHH... AOL. What more can you say?

Posted by: Anonymous | May 8, 2007 11:30 AM | Report abuse

AOL totally sucks. Whoever introduced noobs to this lame excuse for software should be convicted. Cant we ship out IE instructions with each social security pension check or something?!

Posted by: Josh | May 8, 2007 4:44 PM | Report abuse

AOL Sucks, and this is news?

Posted by: catnapping | May 9, 2007 1:25 AM | Report abuse

AOL users are all late adopters. Most of them will have unsecured passwords regardless.

Posted by: Anonymous | May 9, 2007 10:55 AM | Report abuse

Sprint/Nextel's website is similarly broken. They allow you to create long passwords, but truncate them to 8 characters. Then, when you attempt to log in with the full password, they fail to truncate it and reject you unless you only type the first eight characters of it.

Posted by: Justin | May 9, 2007 2:59 PM | Report abuse

This is old news...I noticed it weeks ago.

Posted by: 312c | May 9, 2007 11:24 PM | Report abuse

Only tangentially related, but what infuriates me no end are the sites that demand a credit card number but refuse to accept it with spaces, as it is printed on the actual card, or, even worse, make the card field only sixteen characters long so you can't even type it in in full and remove the spaces before submitting. Any user interface designer will tell you that it's much easier to accurately enter a number in four separate four-digit groups than as one long 16-digit string, but this concept seems to elude the many morons who build ordering interfaces.

Posted by: antibozo | May 9, 2007 11:26 PM | Report abuse

Editor> Besides, I just tried typing an extra character at the end of my AOL password and it didn't let me in, stating that I had an incorrect password.

Do you have a non-alphanumeric character in your password?

Posted by: antibozo | May 10, 2007 12:15 AM | Report abuse

antibozo, my AOL pw is seven characters long and only has alphanumeric characters in it.

Posted by: Editor | May 10, 2007 4:11 AM | Report abuse

Editor> antibozo, my AOL pw is seven characters long and only has alphanumeric characters in it.

Well, then if you add one character to the end, it will differ after the normalization that Brian described, so AOL will regard it as different. Remember, they strip non-alphanumerics, truncate at eight characters, and ignore case. So, when you added a character to your seven-character alphanumeric password, we should expect that AOL would deny you authentication.

Posted by: antibozo | May 10, 2007 8:15 AM | Report abuse

AOL's account creation system (for paying accounts) will not let you choose a password that matches your screen name. So the example used in this article is totally erroneous. For non-paying accounts, your password will not get truncated or normalized .

Posted by: Anonymous User | May 10, 2007 4:49 PM | Report abuse

Problem fixed!!!!

Posted by: Yogesh Garg | May 11, 2007 8:47 AM | Report abuse

Sometimes the content that is written on different types of blog, can be severly copied... You just don't want your blog content to be copied and not to receive credit..

Posted by: Kelly | May 18, 2007 12:11 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company