Remember me Lost Password? Register

Lex Cyber - Cyber Law Portal

 
Security Fix
(0 votes)

By garima, on 07-05-2007 18:03

Views : 153    

Favoured : 15

Published in : The News, Latest News

Security Fix

Brian Krebs on Computer Security

Posted at 06:35 PM ET, 05/ 5/2007

AOL's Password Puzzler

A reader wrote in Friday with an interesting observation: When he went to access his AOL.com account, he accidentally entered an extra character at the end of his password. But that didn't stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.

It turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters.

How is this a bad set-up, security-wise? Well, let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob -- thinking himself very clever -- sets his password to be BobJones$4e?0. Now, if Bob's co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob's user name, since people are lazy and often use their user name as their password.

And she'd be right, in this case, because even though Bob thinks he created a pretty solid 13-character password -- complete with numerals, non-standard characters, and letters -- the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this: The AOL system also will just as happily accept BobJones for his password as it will BobJones$4e?0 (or BobJones + anything else, for that matter).

AOL spokesman Andrew Weinstein said the company was looking into the matter, but didn't have any comment beyond that.

Bruce Schneier, chief technology officer BT Counterpane, called the set-up "sloppy and stupid."

"Truncating the password at eight characters is a big deal, and there's no excuse for any company in today's world to be doing that," Schneier said. "Especially because AOL has...shall we say, some less sophisticated users. Those users need all the help they can get when it comes to choosing a password, and to artificially penalize them in secret for choosing long passwords seems like a bad thing."




Reddit!Del.icio.us!Facebook!Slashdot!Netscape!Technorati!StumbleUpon!Newsvine!Furl!Yahoo!Ma.gnolia!

Last update : 07-05-2007 18:03

    
Quote this article in website
Favoured
Print
Send to friend
Related articles

Keywords : sophisticated, accidentally, alphanumeric, artificially, successfully, counterpane, interesting, observation, characters, technology, truncating, fictional, passwords, sequences, spokesman, weinstein, anything, bobjones, choosing, entering, multiple, numerals, password, penalize, probably, cyber law, cyber lex, law, lex,


Users' Comments  
 

 


Add your comment
[-] Hide form
Name
E-mail
Title  
 
Comment
 
Available characters: 600
   Notify me of follow-up comments
   
   

No comment posted

 
< Prev   Next >
[ Back ]

Subscribe to LexCyber NewsLetter



Receive HTML?

Law Jobs Menu

All offers
Search offers

Generated in 0.96051 Seconds