Ben Langhinrichs

Photograph of Ben Langhinrichs

IBM Champion logo

E-mail address - Ben Langhinrichs







Recent posts

Tue 12 Jun 2018

Presenting at Collabsphere 2018 - hope to see you there



Tue 12 Jun 2018

CKEditor #5 - Powering plugins with other extensions



Mon 11 Jun 2018

CKEditor #4 - Use Domino design elements in plugin


June, 2018
SMTWTFS
     01 02
03 04 05 06 07 08 09
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Search the weblog





























Genii Weblog

AOL security bug?

Wed 22 Oct 2003, 05:42 PM



by Ben Langhinrichs
AOL seems to have an unusual shortcoming with regards to passwords.  I can't quite decide how big a deal it is, but it is certainly odd to use the wrong password and still get in. Here's the situation.  I have an AOL account (please, I know, I know), and the password is something almost completely unlike '47fancy2' (because this is after all a public weblog, so I'm not going to reveal my password here).  What I have discovered is, if I enter '47fancy295' or '47fancy2thelastdance' or '47fancy24601', they all work just fine as passwords.

OK, this may seem stupid, but if I were using Lotus Notes and my password were 'abc', which sounds frightfully insecure and easy to break, I would still be OK if a hacking program tried all five character combinations under the mistaken assumption that I was using at least five characters.  AOL would let me in as soon as one of those combinations started with 'abc', so it is clearly less secure.

What's more, I am not sure what this reveals about the password algorithm utilized by AOL.  Do they just start comparing letters until they reach a valid password?  I should probably report this to someone, although chances are they won't change it.  The real question is, who would I even report it to?  Anybody know?

Copyright © 2003 Genii Software Ltd.

What has been said:


62.1. Colin Pretorius
(10/23/2003 09:38 AM)

slashdot :-)