mailing list archives
Re: AOL passwords / crypt() and online brute forcing
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Wed, 1 May 2002 15:29:08 -0700 (PDT)
One thing is for sure, that NO , It does not make the cracking process any easier. Because mostly people don't keep any
passwords longer than 8 characters, and besides this is not hash cracking or something like that. The cracker will not
have the hash of the original password. the TCP lag will also include the time taken in the cracking process, which
will increase the time period into multiple of the number of attempts made to try one pass. Sounds a bit cryptic? .
Well, there are 26 alphabets, and 10 digits, alphabets are in two forms : caps or bigger caps and lower caps, which
makes it 26 * 2 + 10 = 62, and this number is 62 if i am not including other displayable characters like ?#%$% etc.
Let's say AOL only accepts lowercaps/ caps / and digits only, then it makes sense that 8 letter password will be
comprised of the characters in the range of 62 characters, RIGHT ? which makes it 62 ^ 8 .
and 62 ^ 8 = 218340105584896 .
So it will take a cracker to attemp 218340105584896 combinations inorder to be able to crack your password.
Note: other characters are not included yet (for the reason that i dont have access to AOL atm, so i dont know if they
do or do not allow other displayable characters.)
So 218340105584896 is really a large amount of attempts.
Let's say one attempt takes around 5 seconds, since the connection lags and all the rest of Internetworking reasons,
(maybe AOL firewall may put you off for repeated attempts and all) *anyway
It makes 43668021116979.2 seconds to attempt 218340105584896 combinations on an AOL account, approximately
1403935.86410041152263374485596708 years to crack it. *HMMM* sounds impossible.
So relax and chill, and yeah you could probably ask AOL that is this a known feature or were they informed about this
functionality and it was left alone since maybe people might forget their passwords more than 8 character in length ?
Muhammad Faisal Rauf Danka
Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
Chief Security Analyst
Applied Technology Research Center (ATRC)
voice: 92-021-4548323, 92-021-4546077
"Great is the Art of beginning, but Greater is the Art of ending. "
------BEGIN GEEK CODE BLOCK----
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------
Jacob McMaster (jmcmaster () appliedsystems com) JM wrote today:
I don't know if anyone has said this but, AOL allows you to use a 8+
character password, but when signing in it will only check the first
character and then it doesn't matter if you type the rest of the password
type the rest of it wrong it will let you in that account. Also their
access to your email via the web, it will actually tell you its the
password if your password is over 8 characters and you type the whole
in, you have to type only the 1st 8 characters to get into it. Not
this is a major issue, but would make the cracking process eaiser for
someone if they know there is a max of 8 characters needed.
Run a small business? Then you need professional email like you () yourbiz com from Everyone.net