Re: AOL passwords

["Nexus" <nexus () patrol i-way co uk>]

----- Original Message -----
From: "Remington Winters" <fyreguy () rivetgeek com>
To: <vuln-dev () securityfocus com>
Sent: Thursday, May 02, 2002 12:12 AM
Subject: Re: AOL passwords


> Also, of note is this: Try adding ^ to your password, say at the end of
it.
> Now type in your password without that carrot.  Gee still works just
> fine......seems aol strips out at least that character and most likely all
> non alphanumerics and upper ascii.

Discounting for the moment the entropy associated with a character range
such as that, also discounting all the maths that says a good password would
take X eons to remotely brute force, what am I bid that the majority of
users don't _actually_ use a good password ?   I use 2 dictionaries - one is
yer bog-standard quarter of a million words type in the suitable language
and the other was that one, but with only those words of 8 characters or
less for those crypt() style implementations.
Guess which one is shorter - that's cuts down the brute force time by quite
a bit, especially using hybrid password attacks.   As has been said, users
should use good passwords but they don't.   Sure I may not get _your_
account if you choose a good password, but I'll bet I'll get a shedload of
other ones... not that AOL has a large userbase of course ;-)
Any password scheme without user education will fail as is proved pen test
after pen test.
Just my 0.00000000000002576 Euro's

Cheers.