AOL: Password problems threaten user security
By Alex Zaharov-Reutt
Tuesday, 08 May 2007 23:45
A reader wrote in to Krebs to tell him that AOL’s password system seemed to be accepting the first eight characters of his (more than 8 character) password plus any combination of characters thereafter, bringing into question the strength of AOL’s password security.
Some commenters in Krebs’ column suggest that it happens with the first 6 characters of a password too, all the while with AOL’s system allowing you to enter up to 16 characters in the first place.
Krebs said that AOL spokesman Andrew Weinstein explained that “the company was looking into the matter” but didn’t provide any further information.
Krebs also quoted Bruce Schneier, chief technology officer BT Counterpane, as saying that the password system was “sloppy and stupid”. He also quoted Schneier as saying that: “Truncating the password at eight characters is a big deal, and there's no excuse for any company in today's world to be doing that. Especially because AOL has...shall we say, some less sophisticated users. Those users need all the help they can get when it comes to choosing a password, and to artificially penalize them in secret for choosing long passwords seems like a bad thing.”
Some commenters believe it’s a problem with Unix, others say the problem was solved in Unix long ago and only pertains to very old equipment, and that the issue has been known for years, making it a non-news story.
Well, the facts are that security is more important than ever in today’s world, and if AOL truly has been so lax on security in the manner described, the problem needs to be fixed ASAP!
