Alleged AOL password security flaw raises eyebrows

Washington Post blogger brings up a reader's tip that AOL trucates its 16-character-max passwords after only 8 characters.

According to a post Monday on the Washington Post's "Security Fix" blog, AOL's password system may not be quite as secure as it would have you believe. A tipster e-mailed blog author Brian Krebs to say that even though AOL allows your password to be 16 characters long, it only counts the first eight. This could spell bad news for AOL members who might not choose their passwords wisely--namely, those who might include their usernames in them.

"Let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones," Krebs wrote in his post. "Bob--thinking himself very clever--sets his password to be BobJones$4e?0...even though Bob thinks he created a pretty solid 13-character password--complete with numerals, non-standard characters, and letters--the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this."

But even though the Washington Post blog has certainly raised the profile of the potential password flaw, it's not necessarily anything new. As one commenter on the post writes, "it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords."

AOL representatives did not immediately respond to requests for comment.

About the author

Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.


Discuss Alleged AOL password security flaw raises...

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Articles from CNET
Fashion forward: Yahoo acquires social-shopping site Polyvore