Alleged AOL password security flaw raises eyebrows

Washington Post blogger brings up a reader's tip that AOL trucates its 16-character-max passwords after only 8 characters.

According to a post Monday on the Washington Post's "Security Fix" blog, AOL's password system may not be quite as secure as it would have you believe. A tipster e-mailed blog author Brian Krebs to say that even though AOL allows your password to be 16 characters long, it only counts the first eight. This could spell bad news for AOL members who might not choose their passwords wisely--namely, those who might include their usernames in them.

"Let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones," Krebs wrote in his post. "Bob--thinking himself very clever--sets his password to be BobJones$4e?0...even though Bob thinks he created a pretty solid 13-character password--complete with numerals, non-standard characters, and letters--the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this."

But even though the Washington Post blog has certainly raised the profile of the potential password flaw, it's not necessarily anything new. As one commenter on the post writes, "it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords."

AOL representatives did not immediately respond to requests for comment.

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Everything you can expect at Apple's Sept. 9th event

Apple is expected to throw the kitchen sink at us with new iPhones, iPads, a new Apple TV and MacBooks. We'll breakdown what you can expect to see.

by Brian Tong