The sad truth is that most of the passwords are less than 8 characters anyway. If the AOL users at least get to 8, that would be something... SD -----Original Message----- From: Erik Parker [mailto:eparkerat_private] Sent: Wednesday, May 01, 2002 1:21 PM To: Jacob McMaster Cc: vuln-devat_private Subject: Re: AOL passwords / crypt() and online brute forcing This thread seems to come up every couple of days on various security focus lists. The only real issue with this is, if the site or program doesn't TELL you there is a restriction. Anyone that uses the standard crypt() is going to be limited to 8 characters. I don't have access to AOL to check their documentation on their passwords, you may want to telephone them and ask, or inquire via E-mail. The same goes for any site or program you find like this. Also, brute forcing an AOL password would be a little faster than brute forcing an Amazon.com 8 character password, but not by much... I'm also not sure if AOL locks account after so many password attemps.. Regardless, if you take the 94 displayable ascii characters.. and do 94^8 you have a possible 6,095,689,385,410,816.. So about 6 quadrillion passwords to try.. Let's say you can crack a million passwords per second (Which you CAN'T when brute forcing over tcp or dialup, or anything else.. You'll be lucky if it'll let you try 5 or 10 a second) That's still 1.6 million hours, or 70,551 days, or 193 years. Take the tcp lag and application lag into account, and say you can pop 10 tries a second.. (This goes for AOL, web applications.. ftp, telnet, whatever.. you could get more faster with multiple connections and such, but even if you max'd out the tcp stack.. you'd get no where fast) You'd be able to wrap up cracking an 8 character password using a mix of the 94 displayable ascii characters in about 26,623,381 years. So the moral of the story is.. Use a secure password with those 8 characters you get.. Complain that they don't document it (if they don't), and hope someone doesn't own their database again. =) EP> Jacob McMaster (jmcmasterat_private) JM wrote today: JM> I don't know if anyone has said this but, AOL allows you to use a 8+ JM> character password, but when signing in it will only check the first 8 JM> character and then it doesn't matter if you type the rest of the password or JM> type the rest of it wrong it will let you in that account. Also their JM> access to your email via the web, it will actually tell you its the wrong JM> password if your password is over 8 characters and you type the whole thing JM> in, you have to type only the 1st 8 characters to get into it. Not sure JM> this is a major issue, but would make the cracking process eaiser for JM> someone if they know there is a max of 8 characters needed.
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 12:54:44 PDT