05-07-2007, 08:36 AM
Quote:A reader wrote in Friday with an interesting observation: When he went to access his AOL.com account, he accidentally entered an extra character at the end of his password. But that didn't stop him from entering his account. Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.
It turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters...
Bruce Schneier, chief technology officer BT Counterpane, called the set-up "sloppy and stupid."
"Truncating the password at eight characters is a big deal, and there's no excuse for any company in today's world to be doing that," Schneier said. "Especially because AOL has...shall we say, some less sophisticated users...
full article: http://blog.washingtonpost.com/securityf...zzler.html