Menu
Reply
  • 45
  • 0
  • 15
HackedComputer
Dialled in
1,017 Views
Message 1 of 34
Flag for a moderator

Appaling Password Policy

Hello Forum!

I've just taken out VIVID 200, during sign up I was dismayed at the password policy that is in place at this current time.

As a penetration tester, this does not inspire confidence that my details are secure. As you require a password complexity of a maximum 10 characters long without the use of special characters. The entropy is seriously compromised and could allow brute forcing to be highly successful.

Secondly, the password reset procedure is flawed. I wasn't able to set myself a custom question that would increase the entropy. Secondly, what is worse is that if my email was breached an attacker could easily bypass those questions due to the fact that you have to option to send a password reset link directly to the email address without verification of any kind.

With this poor implementation, I doubt the passwords in the database are stored as salted hash values.

Please consider implementing industry best practices, rather then customer ease of use. We live in an era where cyber attacks are prominent and customer data is sought after.

 

 


Helpful Answers
  • 214
  • 8
  • 78
PaulMoore
Superfast
1,765 Views
Message 6 of 34
Flag for a moderator
Helpful Answer

Re: Appaling Password Policy

Sorry, but that's not accurate Kippies

Lock-out periods are not a replacement for a solid password policy; nor should they be treated as such.  It's a commendable layer of security to mitigate front-end attacks, but rarely do brute-force attacks happen that way.  It's far more likely that a database breach would leak the digests, leading to offline attacks.

It is not best practice to hide your chosen algorithms... that's security by obscurity.  Kerckhoff's principle - "A system should remain secure when everything about it is known, apart from the key".  It's exactly this misunderstanding which leads companies to believe they're significantly more secure, if they keep it a secret.  It's also a way to hide your failings.

If VM used an inappropriate / weak algorithm ("encryption" is inappropriate, hashing is the correct term), your "1000 guesses a second" estimate is not even close.  4 years ago, Hashcat was breaking 180 billion a second.  Put another way, that box was able to churn through every single 8 character password in 5.5 hours.  4 years, from a computational standpoint at least, is an eternity.  Even if VM were using a cryptographically-strong algorithm (bCrypt, sCrypt or PBKDF2 with strong work factors), the same 4yo machine was capable of breaking 71,000 bCrypt hashes a second.  If the password is chosen at "random", that isn't trivial to break... but we know VM don't use bCrypt and users rarely choose strong passwords.  These password cracking rigs are available to hire online for a few pounds.

At present, passwords are stored & handled insecurely... thanks in no small part to legacy equipment dating back to the NTL days.  It won't change any time soon but trusting your security to a free VM-issued email address is just asking for trouble.


All Replies
  • 284
  • 6
  • 236
katebey
Fibre optic
968 Views
Message 2 of 34
Flag for a moderator

Re: Appaling Password Policy

Hi, I'm not a very technical person but you seem to be saying the password system is so flawed that it would be easy for people to penetrate the accounts?

This occurred at the same time VM changed its email platform.  The people to whom the emails were sent were not on any contact/mailing list, most were cc'd in emails received years before.  VM has categorically denied any breach of data, saying they have investigated but not given any details. 

Some of those affected have formed a group and an article was printed in The Register.

Another informed person has suggested this is part of a wider hacking issue, diet pills?

Would be interested to hear your thoughts.

0 Kudos
Reply
  • 45
  • 0
  • 15
HackedComputer
Dialled in
949 Views
Message 3 of 34
Flag for a moderator

Re: Appaling Password Policy

Hi There,

I wouldn't exactly say it's so flawed, But the problem is, is that the policy in place entices users to use low entropy passwords such as "1234567a" or "password1" - Which is extremely trivial to crack.

During sign up, I entered a secure password using LastPass, and was dismayed that it wasn't accepted. In the end I had to settle for a password that I don't exactly feel happy about.

The times have changed, and secure passwords should be encouraged. Secondly, if the requirement for no special characters to be used, it puts a lot of doubt in my mind to how secure the database is and wether salted hashes are used - Irrespective of any Intrusion Detection and Prevention Systems in place. 

It would be good to have a Virgin Media's Security team chime in on this, to see if they can explain some of the issues outlined here. 

 

 

  • 8.29K
  • 516
  • 2.3K
Superuser
Superuser
937 Views
Message 4 of 34
Flag for a moderator

Re: Appaling Password Policy

Might be good for you to detail what exactly your concerns are.

A 10 digit alphanumeric password is hardly trivial to bruteforce. You are looking at 7 weeks with a thousand guesses a second. Did you even bother to check how many attempts you were locked out after? From a penetration testing POV a system that locks you out after 3 attempts and allows an alphanumeric pass word  is far more secure than one that allows special characters and has no limit. You have to look at the system as a whole

Your assertion that passwords are either poorly encrypted or not encrypted has no substance. And as we have been through many times on here, VM security will not divulge what encryption is used- which IS industry best practice. Any knowledge of a system makes an attackers job easier.

The only reason I raise these points is because, as you have experienced, putting information up on a public forum that can be mis interpreted just leads to people getting the wrong idea.

Your assertion about the email reset IS well made, ideally 2 step authentication should be in place- but VERY few online accounts (and less ISP accounts) are secured that way. I too would like to see VM move in this direction, but given the infrastructure in place I cannot see it happening any time soon.

 

 

 

 


0 Kudos
Reply
  • 295
  • 9
  • 159
Matt1959
Fibre optic
924 Views
Message 5 of 34
Flag for a moderator

Re: Appaling Password Policy

Kippies, am I right in saying the "I am a robot"   thing and then the "choose which are trees" in these pictures question, stops brute force access?

  • 214
  • 8
  • 78
PaulMoore
Superfast
1,766 Views
Message 6 of 34
Flag for a moderator
Helpful Answer

Re: Appaling Password Policy

Sorry, but that's not accurate Kippies

Lock-out periods are not a replacement for a solid password policy; nor should they be treated as such.  It's a commendable layer of security to mitigate front-end attacks, but rarely do brute-force attacks happen that way.  It's far more likely that a database breach would leak the digests, leading to offline attacks.

It is not best practice to hide your chosen algorithms... that's security by obscurity.  Kerckhoff's principle - "A system should remain secure when everything about it is known, apart from the key".  It's exactly this misunderstanding which leads companies to believe they're significantly more secure, if they keep it a secret.  It's also a way to hide your failings.

If VM used an inappropriate / weak algorithm ("encryption" is inappropriate, hashing is the correct term), your "1000 guesses a second" estimate is not even close.  4 years ago, Hashcat was breaking 180 billion a second.  Put another way, that box was able to churn through every single 8 character password in 5.5 hours.  4 years, from a computational standpoint at least, is an eternity.  Even if VM were using a cryptographically-strong algorithm (bCrypt, sCrypt or PBKDF2 with strong work factors), the same 4yo machine was capable of breaking 71,000 bCrypt hashes a second.  If the password is chosen at "random", that isn't trivial to break... but we know VM don't use bCrypt and users rarely choose strong passwords.  These password cracking rigs are available to hire online for a few pounds.

At present, passwords are stored & handled insecurely... thanks in no small part to legacy equipment dating back to the NTL days.  It won't change any time soon but trusting your security to a free VM-issued email address is just asking for trouble.

  • 214
  • 8
  • 78
PaulMoore
Superfast
914 Views
Message 7 of 34
Flag for a moderator

Re: Appaling Password Policy

"am I right in saying the "I am a robot"   thing and then the "choose which are trees" in these pictures question, stops brute force access?"

No.  It helps prevent it in some cases, but attackers are wise to this now and it's easily defeated.

  • 83
  • 0
  • 8
Milambar
On our wavelength
900 Views
Message 8 of 34
Flag for a moderator

Re: Appaling Password Policy

Their password policy is atrocious and always has been. Right from the superhub1, through to its latest incarnation. In fact, if you decompress and analyse the javascript that is used to do client-side verification of password inputs, you will even notice that it has a list of prohibited words (including virgin, media, and any combination thereof), further reducing the entropy.

This topic has been discussed here quite a few times before, and on other forums. Virgin are aware of the issue, how can they not be, and yet they don't seem to want to resolve it.

If their password policies horrify you, don't even consider running my.virginmedia.com through an ssllabs analysis. You'd have a heart  attack.

  • 1.42K
  • 154
  • 457
Superuser
Superuser
868 Views
Message 9 of 34
Flag for a moderator

Re: Appaling Password Policy


PaulMoore wrote:

"am I right in saying the "I am a robot"   thing and then the "choose which are trees" in these pictures question, stops brute force access?"

No.  It helps prevent it in some cases, but attackers are wise to this now and it's easily defeated.


“… and it's easily defeated.”  Any citation to support this; as applicable to reCAPTCHA (aka No CAPTCHA reCAPTCHA, new reCAPTCHA)?

0 Kudos
Reply
  • 214
  • 8
  • 78
PaulMoore
Superfast
865 Views
Message 10 of 34
Flag for a moderator

Re: Appaling Password Policy