Menu
Reply
  • 10
  • 0
  • 0
Castle5
Joining in
2,218 Views
Message 1 of 15
Flag for a moderator

Absurd password requirements

I've just got a new Superhub 3, only to discover that the passwords I use for Wifi are not valid. I'm being forced to use one 10 characters long, 1 or 2 capitals, 1 or 2 numbers, no more than 8 lowercase letters in a row.

Seriously? This is perhaps even more absurd than the maximum of 8 characters for the Virgin portal login.

This isn't going to lead to more secure passwords. It's going to lead to forgotten passwords. Numerous studies have concluded that these conditions won't even create the most secure passwords. Why can I not use a string of words, for example? Why can't I use a shorter password that doesn't take me 15 minutes to type in using a remote control on my Roku?

Does Virgin really think someone is going to sit outside my house trying to brute force my wifi password? And even if so, is it really Virgin's place to restrict so arbitrarily what my password can be? I bet I can guess what thousands of Virgin users have as their Wifi passwords: Password11. Thousands more have Superhub11. These kinds of absurd restrictions is what causes people to use that kind of password.

I'm personally going with ************. I'm not using the asterisks though. (Mod removed it, even though I didn't actually put anything inappropriate and used asterisks for enough letters that anyone who doesn't already know the word would know it, so I'll retry: ****YouVirgin1.)

Please remove these arbitrary restrictions and let me use the passwords I want. It's just my local network, not a bank...

 

 

[MOD EDIT: Inappropriate language removed, please review the Forum Guidelines]

0 Kudos
Reply
  • 10
  • 0
  • 0
Castle5
Joining in
2,195 Views
Message 2 of 15
Flag for a moderator

Re: Absurd password requirements

I can't edit that post now, so I'll clarify - 3 numbers is not allowed. 3 capitals is not allowed. It has to be 1 or 2. Which is just... insane. The password I suggested I'd use isn't actually allowed, as it has 3 capital letters... Seriously.

Some passwords that are not allowed (generated at http://passwordsgenerator.net/, with symbols deselected):

ej3fpwrUgNX9q2bG

59dvMbdTw

 ffrxp3mpwh4yfh2ad7962nr

Apparently these aren't secure enough.

Update: There seem to be other conditions at play here though, as sometimes it seems to allow more than 2 capitals or numbers and sometimes it doesn't. It also does allow 8 lowercase letters in a row at times, and other times it doesn't. It's not even consistent in its application of its own rules. This password is just fine:

aaaaaaaaaaaa123ABC

But this is not:

aaaaaaaaaaaa12AB

I'm starting to suspect that it's losing track of the password as you change it, too, as it will accept something one minute and not the next.

 

 

Update: It gets even worse. When counting 8 lowercase letters in a row, it doesn't consider a number to be a break in lowercase letters. So

0 Kudos
Reply
  • 13.07K
  • 373
  • 1.07K
Moderator
Moderator
2,136 Views
Message 3 of 15
Flag for a moderator

Re: Absurd password requirements

Hi Castle5,

Thanks for the feedback, the change in the wireless password requirements have been made to improve the security of your connection, though I can see why the limitations around capital letter or numbers used would be frustrating, particularly if employing a password generator.

We'll feed this back to our developers.

Thanks

Ralph_R
Forum Moderator

The do's and don'ts. Keep the community welcoming for all. Follow the house rules


0 Kudos
Reply
  • 1.87K
  • 176
  • 340
J0hn
Super solver
2,129 Views
Message 4 of 15
Flag for a moderator

Re: Absurd password requirements

Castle5, you may be aware and able enough to generate a secure password for yourself, however, the majority of folks are either unaware of the need or to lazy to implement a secure password. Therefore Virgin have a duty of care to their customers and choose this method to do it.

 

Can you imagine the hew and cry, if dozens of elderly customers were fleeced by a password scam made simple by Virgins actions/inactions?

Talktalk mk 2, but much larger

0 Kudos
Reply
  • 2
  • 0
  • 0
Ljutica
Joining in
2,105 Views
Message 5 of 15
Flag for a moderator

Re: Absurd password requirements

That secure password thing affects everything. From creating email to registering on random sites. I used to remember all passwords but now I write those down.

0 Kudos
Reply
  • 40
  • 0
  • 2
stonelaughter
On our wavelength
2,092 Views
Message 6 of 15
Flag for a moderator

Re: Absurd password requirements

They should do what EVERYONE ELSE does, then; there should be a minimum number of characters and certain un-obfuscated words should be on the blocked list (like "password" and "computer1"); also repeated characters in a row (more than 2) should be blocked; however there should otherwise be no limits at all on what you can put in. For instance "He=9g%&bb32'@" should be allowed.

At the end of the day however, what the password is on a WiFi should be entirely the user's responsibility, not Virgin's; and unless they're using WPA2 it wouldn't matter anyway since it's trivial to get access using simple hardware and software anyway. It's up to users and their families to educate themselves.

Smiley Very Happy

Tom
Anything you say may be misquoted and used against you!
0 Kudos
Reply
  • 5
  • 0
  • 3
diziet
Tuning in
1,507 Views
Message 7 of 15
Flag for a moderator

Re: Absurd password requirements

Seriously, do this at your own risk, this may cause harm to your device, it did not mine.  It may break further usage of the Wireless Networks page to manage the device, without resorting to the same tricks; depending on how/when the password is validated.  

I've just run into this problem and solved it.  In the hope that only people who know what they are doing and why attempt this I'm going to keep the instructions vague.

  • Use chrome, open the network inspector, click preserve log.
  • Change the wifi password to something, not the one you want, but one that meets the requirements.
  • Note the multiple xhr get requests to some pages on the virgin hub with snmp in the name.
  • Replicate those requests in order, substituting in your password, using  the console draw and JQuery as it's handily loaded already.
  • After each request wait for a reply, and carefully submit the next.  Note if changing the password and having both 2 and 5 GHz networks enabled the different snmp oids involved.  After the snmp set calls for the passwords the response data should respond with the oid and the password you just sent.

For example: 

$.get("snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001=mynewpasswordisshinyandchrome;4;&_n=92408&_=1496782576715",function(data) { console.log(data); });

My knowledge here falters a little bit, so I replicated all the requests as is up to the call to the 'walk?' page.  Perhaps only the first three are necessary, two to set the passwords to the different oids and one to 'write' the changes.  

After a page refresh my new allegedly unsafe password was present in the dialogue and works on my devices.

I originally attempted to subvert the validation process but finding the executing JS proved more onerous than simply duplicating the snmp set calls.

 

  • 8.39K
  • 533
  • 2.32K
Superuser
Superuser
1,502 Views
Message 8 of 15
Flag for a moderator

Re: Absurd password requirements

Nice work diziet

diziet sma by any chance or is it a different reference?

 


0 Kudos
Reply
  • 5
  • 0
  • 3
diziet
Tuning in
1,498 Views
Message 9 of 15
Flag for a moderator

Re: Absurd password requirements

That would be the right reference. It's been a nick of mine since I read the book when it came out. :-D
0 Kudos
Reply
  • 8.39K
  • 533
  • 2.32K
Superuser
Superuser
1,467 Views
Message 10 of 15
Flag for a moderator

Re: Absurd password requirements

I got hooked after picking up Use of Weapons when it came out in what? 1990? < scary thought

I was nearly Zakalwe when I joined here, but wound up re-using a nic used in other places.

That or "Grey Area", my favourite ship Smiley Wink

 


0 Kudos
Reply