AOL security bug?
Wed 22 Oct 2003, 05:42 PMTweet
by Ben Langhinrichs
AOL seems to have an unusual shortcoming with regards to passwords. I can't quite decide how big a deal it is, but it is certainly odd to use the wrong password and still get in. Here's the situation. I have an AOL account (please, I know, I know), and the password is something almost completely unlike '47fancy2' (because this is after all a public weblog, so I'm not going to reveal my password here). What I have discovered is, if I enter '47fancy295' or '47fancy2thelastdance' or '47fancy24601', they all work just fine as passwords.
OK, this may seem stupid, but if I were using Lotus Notes and my password were 'abc', which sounds frightfully insecure and easy to break, I would still be OK if a hacking program tried all five character combinations under the mistaken assumption that I was using at least five characters. AOL would let me in as soon as one of those combinations started with 'abc', so it is clearly less secure.
What's more, I am not sure what this reveals about the password algorithm utilized by AOL. Do they just start comparing letters until they reach a valid password? I should probably report this to someone, although chances are they won't change it. The real question is, who would I even report it to? Anybody know?
Copyright © 2003 Genii Software Ltd.
What has been said:
59.1. Colin Pretorius (10/23/2003 09:38 AM)