Alleged AOL password security flaw raises eyebrows
Washington Post blogger brings up a reader's tip that AOL trucates its 16-character-max passwords after only 8 characters.
According to a post Monday on the Washington Post's "Security Fix" blog, AOL's password system may not be quite as secure as it would have you believe. A tipster e-mailed blog author Brian Krebs to say that even though AOL allows your password to be 16 characters long, it only counts the first eight. This could spell bad news for AOL members who might not choose their passwords wisely--namely, those who might include their usernames in them.
"Let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones," Krebs wrote in his post. "Bob--thinking himself very clever--sets his password to be BobJones$4e?0...even though Bob thinks he created a pretty solid 13-character password--complete with numerals, non-standard characters, and letters--the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this."
But even though the Washington Post blog has certainly raised the profile of the potential password flaw, it's not necessarily anything new. As one commenter on the post writes, "it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords."
AOL representatives did not immediately respond to requests for comment.