AOL and 8-character passwords

| Comments (1) | SYSSEC
Washington Post's Security blog claims that AOL only verifies the first eight characters of the password:
A reader wrote in Friday with an interesting observation: When he went to access his account, he accidentally entered an extra character at the end of his password. But that didn't stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.

It turns out that when someone signs up for an account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters.

How is this a bad set-up, security-wise? Well, let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones. Bob -- thinking himself very clever -- sets his password to be BobJones$4e?0. Now, if Bob's co-worker Alice or arch nemesis Charlie tries to guess his password, probably the first password he or she will try is Bob's user name, since people are lazy and often use their user name as their password.

I don't use AOL, so I have no idea if this is true or not, but if it is, it's pretty clearly bad. As suggested above, it's actually worse than just allowing 8 character passwords. In order to resist password search it's important to have a high entropy password, but the shorter the password the more random-looking the password has to be, and of course users have trouble remembering random-looking strings, which is why people are often encouraged to use passphrases because they're easier to remember. But of course each bit of the passphrase typically has fairly low entropy. So, if users think they can use long passwords and actually can't the situation is worse than if they just were told to use short passwords.

That said, when people talk about the need for high entropy passwords, the attack they're usually concerned with is dictionary attacks on the encrypted password file. If some attacker can get their hands on AOL's password file then there are much bigger problems than this. So, the relevant attack is one where people's passwords are really easy to guess (like their username). It's not clear that people who use passwords that bad are going to use passwords longer than 8 characters.


The problem (at least one of them anyway) is not that AOL uses only 8 characters for its password but that it tricks the end-user into thinking that it could be more than 8 when in actuality, anything over 8 will be ignored. The article says that upon initial signup, the user is allowed to enter "...up to a 16-character password". If I were to enter 16 characters for my password (twice probably as I am sure it would want to verify), then I would expect it to be 16 characters - not just the first 8 alpha-numeric ones. That is giving the end-user a false sense of security at the very least.

Leave a comment