Vulnerability Development mailing list archives
Re: AOL passwords
From: "Nexus" <nexus () patrol i-way co uk>
Date: Thu, 2 May 2002 03:03:33 +0100
----- Original Message ----- From: "Remington Winters" <fyreguy () rivetgeek com> To: <vuln-dev () securityfocus com> Sent: Thursday, May 02, 2002 12:12 AM Subject: Re: AOL passwords
Also, of note is this: Try adding ^ to your password, say at the end of
it.
Now type in your password without that carrot. Gee still works just fine......seems aol strips out at least that character and most likely all non alphanumerics and upper ascii.
Discounting for the moment the entropy associated with a character range such as that, also discounting all the maths that says a good password would take X eons to remotely brute force, what am I bid that the majority of users don't _actually_ use a good password ? I use 2 dictionaries - one is yer bog-standard quarter of a million words type in the suitable language and the other was that one, but with only those words of 8 characters or less for those crypt() style implementations. Guess which one is shorter - that's cuts down the brute force time by quite a bit, especially using hybrid password attacks. As has been said, users should use good passwords but they don't. Sure I may not get _your_ account if you choose a good password, but I'll bet I'll get a shedload of other ones... not that AOL has a large userbase of course ;-) Any password scheme without user education will fail as is proved pen test after pen test. Just my 0.00000000000002576 Euro's Cheers.
Current thread:
- AOL passwords Jacob McMaster (May 01)
- Re: AOL passwords Remington Winters (May 01)
- Re: AOL passwords Nexus (May 01)
- <Possible follow-ups>
- RE: AOL passwords TUTTLE, TERESA A (SBCSI) (May 01)
- RE: AOL passwords jon schatz (May 01)
- Re: AOL passwords Remington Winters (May 01)