Previous entries
Next entries

May 8th, 2007

AOL Shortchanges Your Password

By Michael Santo
Executive Editor, RealTechNews

It’s bad enough when I’m forced to use a really long password. It’s not like my standard, strong password isn’t long enough for most (10 characters) or strong enough for most (not a word, combination of letters and numbers). And I use Roboform for those rare cases when they ask for specific requirements which I will not remember no matter what. Sometimes I still have to enter a longer one. But what if I choose to enter a long password … and they ignore part of it?

Enter AOL’s latest gaffe. It appears that even though they allow you to enter a password with 16 characters … they only recognize the first 8.

It turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL’s system, however, doesn’t read past the first eight characters.

AOL spokesman Andrew Weinstein said the company was looking into the matter, but didn’t have any comment beyond that.

Bruce Schneier, chief technology officer BT Counterpane, called the set-up “sloppy and stupid.” Source: Washington Post

We Say: Nice example given at the Washington Post article, on how this could be really bad (basically, use something easy that takes up 8 characters and add strong stuff after that … symbols and numbers mixed). At any rate … 8 as a limit went out with the 8-character filename limit on DOS. This is pretty bad stuff (though expect it to be fixed soon, since this has now been publicized).

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • YahooMyWeb
You can leave a comment, or trackback from your own site. RSS 2.0

5 comments to "AOL Shortchanges Your Password"

  1. David Johnston says:

    Whose bright idea was that!?

    May 8th, 2007 at 8:05 am

  2. ed3 says:

    Most UNIX-based systems work that way by default. You can type as many characters you want at the “Password:” prompt, but only the first eight characters of the password are used. Been that way for nearly 40 years now.

    Just means you need to be more creative with your passwords.

    May 8th, 2007 at 8:37 am

  3. John says:

    UNIX-based systems work that way by default. This can be altered easily enough under account manager / users / Password restrictions / selection.
    Under these options you can require a password, allow the user to choose their password, run an obviousness check, and allow the use of a password generator.
    The maximum amount of allowed characters can be altered to be as much as 34463 although this is excessive

    May 8th, 2007 at 1:06 pm

  4. LZW says:

    Older version of windows NT use to have the same problem but I think it was less then 8 chars!

    Google gmail cheats you on the user name… The only symbol they allow in the email/logon name is a period but then they completely ignore it!

    real.tech.news@gmail.com

    would actually be the same as:

    realtechnews@gmail.com

    Passwords also have many limitation on various websites and even desktop applications! For example, unicode and hibit characters.. You can use them in the administrator password while setting up windows but not in to many other places.

    May 8th, 2007 at 6:11 pm

  5. Marco Barulli says:

    Michael,
    using a password manager is not merely convenient for remembering passwords, it’s an effective way to adopt better security practices without too much stress.

    It basically sums up to:
    1) never re-use the same password,
    2) use strong passwords.

    But if you are going to use multiple strong and complex passwords you can’t remember all of them and you definitely need a password manager.

    Software products like Roboform are certainly an option, but you could also consider a web based solution.
    (i’m a tad biased …)

    Clipperz is an online password manager that can do much more than simply storing your passwords.
    - ubiquitous access
    - direct login to online services
    - offline version
    - bookmarklet for quick data entry
    - nothing to install or backup
    - …

    It’s free and completely anonymous.

    Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.

    The key for the encryption process is a passphrase known only to you.
    Clipperz simply hosts your sensitive data in encrypted form and could never actually access the data in its plain form.

    For any further information refer to our website:
    http://www.clipperz.com.

    Marco
    Clipperz co-founder

    PS
    And hopefully even AOL will grow more security conscious …

    May 9th, 2007 at 6:21 am

Leave a comment