----- Original Message -----
From: "Remington Winters" <fyreguyrivetgeek.com>
To: <vuln-devsecurityfocus.com>
Sent: Thursday, May 02, 2002 12:12 AM
Subject: Re: AOL passwords

> Also, of note is this: Try adding ^ to your password, say at the end of
it.
> Now type in your password without that carrot. Gee still works just
> fine......seems aol strips out at least that character and most likely all
> non alphanumerics and upper ascii.

Discounting for the moment the entropy associated with a character range
such as that, also discounting all the maths that says a good password would
take X eons to remotely brute force, what am I bid that the majority of
users don't _actually_ use a good password ? I use 2 dictionaries - one is
yer bog-standard quarter of a million words type in the suitable language
and the other was that one, but with only those words of 8 characters or
less for those crypt() style implementations.
Guess which one is shorter - that's cuts down the brute force time by quite
a bit, especially using hybrid password attacks. As has been said, users
should use good passwords but they don't. Sure I may not get _your_
account if you choose a good password, but I'll bet I'll get a shedload of
other ones... not that AOL has a large userbase of course ;-)
Any password scheme without user education will fail as is proved pen test
after pen test.
Just my 0.00000000000002576 Euro's

Cheers.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]