----- Original Message ----- From: "Remington Winters" <fyreguyat_private> To: <vuln-devat_private> Sent: Thursday, May 02, 2002 12:12 AM Subject: Re: AOL passwords > Also, of note is this: Try adding ^ to your password, say at the end of it. > Now type in your password without that carrot. Gee still works just > fine......seems aol strips out at least that character and most likely all > non alphanumerics and upper ascii. Discounting for the moment the entropy associated with a character range such as that, also discounting all the maths that says a good password would take X eons to remotely brute force, what am I bid that the majority of users don't _actually_ use a good password ? I use 2 dictionaries - one is yer bog-standard quarter of a million words type in the suitable language and the other was that one, but with only those words of 8 characters or less for those crypt() style implementations. Guess which one is shorter - that's cuts down the brute force time by quite a bit, especially using hybrid password attacks. As has been said, users should use good passwords but they don't. Sure I may not get _your_ account if you choose a good password, but I'll bet I'll get a shedload of other ones... not that AOL has a large userbase of course ;-) Any password scheme without user education will fail as is proved pen test after pen test. Just my 0.00000000000002576 Euro's Cheers.
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 19:10:27 PDT