It appears that AOL’s password system may not be quite as secure as one would have thought it would have been. Last week, on Friday, an interesting and accidental discovery was made by an AOL user.
When this particular user went to access his AOL.com account, he accidentally entered an extra character at the end of his password. Surprisingly, this did not stop him from entering his account, even though he had entered a wrong password.
Curious to find out more, the user then tried adding multiple alphanumeric sequences after his password. He found that each time it logged him in successfully.
It turns out that when someone signs up for an AOL.com account, the user is allowed to enter up to a 16-character password. However, AOL’s system does not read past the first eight characters of a password.
This would be perfectly fine, if AOL actually bothered to inform its users about this. However, AOL has not informed its users.
Take for instance if I were to sign ip for an AOL account. I choose my username to be BenCohen, and thinking I’m real clever, I make my password bencohen1607. The chances of someone guessing the number and letter combination beyond the bencohen part is pretty low.
However, as AOL ignores anything beyond the first 8 characters in a password, my password is actually just bencohen. Thus, if someone nosy tries to get into my account, they are very much likely to decipher it.
If someone trying to access my account enters in bencohen36, they will also manage to get into my account, as AOL ignores any characters after the first eight.
AOL was alerted to this issue. Spokesman Andrew Weistein said that AOL was looking into the matter. However, he said that AOL had no further comments for the moment.
This surely is a huge deal, and we do hope that AOL has a great explanation because there will be a million AOL.com users who will surely demand an explanation, and of course a change in the system’s password and security methods.