AOL: Password problems threaten user security

Alex Zaharov-Reutt
Wednesday, 09 May 2007 00:45

Opinion and Analysis

Although AOL lets you type in 16 characters for your password, an online report and reader comments suggest that password is truncated to 6 or 8 characters in a blow to user security.

The Washington Post’s security guru Brian Krebs has written an intriguing article on AOL’s password practices.

A reader wrote in to Krebs to tell him that AOL’s password system seemed to be accepting the first eight characters of his (more than 8 character) password plus any combination of characters thereafter, bringing into question the strength of AOL’s password security.

Some commenters in Krebs’ column suggest that it happens with the first 6 characters of a password too, all the while with AOL’s system allowing you to enter up to 16 characters in the first place.

Krebs said that AOL spokesman Andrew Weinstein explained that “the company was looking into the matter” but didn’t provide any further information.

Krebs also quoted Bruce Schneier, chief technology officer BT Counterpane, as saying that the password system was “sloppy and stupid”. He also quoted Schneier as saying that: “Truncating the password at eight characters is a big deal, and there's no excuse for any company in today's world to be doing that. Especially because AOL has...shall we say, some less sophisticated users. Those users need all the help they can get when it comes to choosing a password, and to artificially penalize them in secret for choosing long passwords seems like a bad thing.”

Some commenters believe it’s a problem with Unix, others say the problem was solved in Unix long ago and only pertains to very old equipment, and that the issue has been known for years, making it a non-news story.

Well, the facts are that security is more important than ever in today’s world, and if AOL truly has been so lax on security in the manner described, the problem needs to be fixed ASAP!