Home page logo

Vulnerability Development mailing list archives

Re: AOL passwords / crypt() and online brute forcing
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Wed, 1 May 2002 15:29:08 -0700 (PDT)

One thing is for sure, that NO , It does not make the cracking process any easier. Because mostly people don't keep any 
passwords longer than 8 characters, and besides this is not hash cracking or something like that. The cracker will not 
have the hash of the original password. the TCP lag will also include the time taken in the cracking process, which 
will increase the time period into multiple of the number of attempts made to try one pass. Sounds a bit cryptic?  . 
Well, there are 26 alphabets, and 10 digits, alphabets are in two forms : caps or bigger caps and lower caps, which 
makes it 26 * 2 + 10 =  62, and this number is 62 if i am not including other displayable characters like ?#%$% etc.  
Let's say AOL only accepts lowercaps/ caps / and digits only, then it makes sense that 8 letter password will be 
comprised of the characters in the range of 62 characters, RIGHT ? which makes it 62 ^ 8 .

and 62 ^ 8 = 218340105584896 .

So it will take a cracker to attemp 218340105584896 combinations inorder to be able to crack your password. 

Note: other characters are not included yet (for the reason that i dont have access to AOL atm, so i dont know if they 
do or do not allow other displayable characters.)

So 218340105584896 is really a large amount of attempts.
 Let's say one attempt takes around 5 seconds, since the connection lags and all the rest of Internetworking reasons, 
(maybe AOL firewall may put you off for repeated attempts and all) *anyway 
It makes 43668021116979.2 seconds to attempt 218340105584896 combinations on an AOL account, approximately 
1403935.86410041152263374485596708 years to crack it.   *HMMM* sounds impossible. 
So relax and chill, and yeah you could probably ask AOL that is this a known feature or were they informed about this 
functionality and it was left alone since maybe people might forget their passwords more than 8 character in length ? 
or what?

Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-021-4548323, 92-021-4546077

"Great is the Art of beginning, but Greater is the Art of ending. "

Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ 
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- 
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+

Jacob McMaster (jmcmaster () appliedsystems com) JM wrote today:

I don't know if anyone has said this but, AOL allows you to use a 8+
character password, but when signing in it will only check the first 
character and then it doesn't matter if you type the rest of the password 
type the rest of it wrong it will let you in that account.  Also their
access to your email via the web, it will actually tell you its the 
password if your password is over 8 characters and you type the whole 
in, you have to type only the 1st 8 characters to get into it.  Not 
this is a major issue, but would make the cracking process eaiser for
someone if they know there is a max of 8 characters needed.


Run a small business? Then you need professional email like you () yourbiz com from Everyone.net  

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]