Genii Weblog

AOL security bug?

Wed 22 Oct 2003, 05:42 PM



by Ben Langhinrichs
AOL seems to have an unusual shortcoming with regards to passwords.  I can't quite decide how big a deal it is, but it is certainly odd to use the wrong password and still get in. Here's the situation.  I have an AOL account (please, I know, I know), and the password is something almost completely unlike '47fancy2' (because this is after all a public weblog, so I'm not going to reveal my password here).  What I have discovered is, if I enter '47fancy295' or '47fancy2thelastdance' or '47fancy24601', they all work just fine as passwords.

OK, this may seem stupid, but if I were using Lotus Notes and my password were 'abc', which sounds frightfully insecure and easy to break, I would still be OK if a hacking program tried all five character combinations under the mistaken assumption that I was using at least five characters.  AOL would let me in as soon as one of those combinations started with 'abc', so it is clearly less secure.

What's more, I am not sure what this reveals about the password algorithm utilized by AOL.  Do they just start comparing letters until they reach a valid password?  I should probably report this to someone, although chances are they won't change it.  The real question is, who would I even report it to?  Anybody know?

Copyright 2003 Genii Software Ltd.

What has been said:


59.1. Colin Pretorius
(10/23/2003 09:38 AM)

slashdot :-)