RE: AOL passwords / crypt() and online brute forcing

["Duffy, Shawn" <SDuffy () NCIINC com>]

The sad truth is that most of the passwords are less than 8 characters
anyway.
If the AOL users at least get to 8, that would be something...

SD


-----Original Message-----
From: Erik Parker [mailto:eparker () mindsec com]
Sent: Wednesday, May 01, 2002 1:21 PM
To: Jacob McMaster
Cc: vuln-dev () securityfocus com
Subject: Re: AOL passwords / crypt() and online brute forcing


This thread seems to come up every couple of days on various security
focus lists.

The only real issue with this is, if the site or program doesn't TELL you
there is a restriction. Anyone that uses the standard crypt() is going to
be limited to 8 characters.

I don't have access to AOL to check their documentation on their
passwords, you may want to telephone them and ask, or inquire via E-mail.

The same goes for any site or program you find like this. Also, brute
forcing an AOL password would be a little faster than brute forcing an
Amazon.com 8 character password, but not by much... I'm also not sure if
AOL locks account after so many password attemps.. Regardless,

if you take the 94 displayable ascii characters.. and do 94^8
you have a possible 6,095,689,385,410,816..  So about 6 quadrillion
passwords to try..

Let's say you can crack a million passwords per second (Which you CAN'T
when brute forcing over tcp or dialup, or anything else.. You'll be lucky
if it'll let you try 5 or 10 a second)

That's still 1.6 million hours, or 70,551 days, or 193 years.

Take the tcp lag and application lag into account, and say you can pop 10
tries a second.. (This goes for AOL, web applications.. ftp, telnet,
whatever.. you could get more faster with multiple connections and such,
but even if you max'd out the tcp stack.. you'd get no where fast)

You'd be able to wrap up cracking an 8 character password using a mix of
the 94 displayable ascii characters in about 26,623,381 years.

So the moral of the story is.. Use a secure password with those 8
characters you get.. Complain that they don't document it (if they don't),
and hope someone doesn't own their database again. =)


EP> Jacob McMaster (jmcmaster () appliedsystems com) JM wrote today:

JM> I don't know if anyone has said this but, AOL allows you to use a 8+
JM> character password, but when signing in it will only check the first 8
JM> character and then it doesn't matter if you type the rest of the
password or
JM> type the rest of it wrong it will let you in that account.  Also their
JM> access to your email via the web, it will actually tell you its the
wrong
JM> password if your password is over 8 characters and you type the whole
thing
JM> in, you have to type only the 1st 8 characters to get into it.  Not sure
JM> this is a major issue, but would make the cracking process eaiser for
JM> someone if they know there is a max of 8 characters needed.