Menu
Reply
Tuning in
  • 9
  • 0
  • 8
Registered: ‎03-11-2013
Message 1 of 14 (255 Views)

Idiotic password policy

Hi all

I just tried logging on to check my bill and was informed that I needed to change my password as they had detected attempts to hack accounts. On trying to reset my password I was presented with the a password complexity policy that must have been dreamt up by a 15 year old on work experience for a week in 1994.

No spaces? 8-10 characters only? No special characters? And must begin with a letter?

No wonder Virginmedia accounts are a hackers paradise, it must be like shooting fish in a barrel. Extra irony points for being forced to change my password due to known hacking attempts, yet no action by the Virgin security team to get rid of these restrictive and completely unnecessary rules.

I had to reset my password on this Community Site, and even this has a better password policy than the main site itself! Very poor.

To compound matters, there are several other threads on this issue dating back to at least 2013. On one of them a moderator stated he agreed that the policy was rubbish and would raise it with the right team. Here we are, 4 years later, with the same dangerous password policy in place, and Virgin Media aware that accounts are being hacked, yet still not able to make a simple change to their security policy that would (a) simplify , (b) make it more secure, and (c) stop their customers having to waste time raising this issue AGAIN on the Community forum, no doubt to be completely ignored by the people with the power to change things for another 4 years.

Rising star
  • 1.09K
  • 32
  • 129
Registered: ‎09-07-2010
Message 2 of 14 (227 Views)

Re: Idiotic password policy


HeadLikeARock wrote:

Hi all

I just tried logging on to check my bill and was informed that I needed to change my password as they had detected attempts to hack accounts. On trying to reset my password I was presented with the a password complexity policy that must have been dreamt up by a 15 year old on work experience for a week in 1994.

No spaces? 8-10 characters only? No special characters? And must begin with a letter?

No wonder Virginmedia accounts are a hackers paradise, it must be like shooting fish in a barrel. Extra irony points for being forced to change my password due to known hacking attempts, yet no action by the Virgin security team to get rid of these restrictive and completely unnecessary rules.

I had to reset my password on this Community Site, and even this has a better password policy than the main site itself! Very poor.

To compound matters, there are several other threads on this issue dating back to at least 2013. On one of them a moderator stated he agreed that the policy was rubbish and would raise it with the right team. Here we are, 4 years later, with the same dangerous password policy in place, and Virgin Media aware that accounts are being hacked, yet still not able to make a simple change to their security policy that would (a) simplify , (b) make it more secure, and (c) stop their customers having to waste time raising this issue AGAIN on the Community forum, no doubt to be completely ignored by the people with the power to change things for another 4 years.


Yet i've had an account with Virgin for over 5 years, used the same password since day 1 and never had my account compromised, 10 characters is easily enough to make a complicated password, using 9 random characters with numbers and mixed upper/lower (couldn't find a calculator to work with this exact ruleset) one website tells me there are 13,537,086,546,263,552 combinations, granted most passwords will likely use real words instead of all those possible combinations, but thats an education issue, even if they allow people to use longer passwords it wont stop idiots from using rubbish passwords, i mean i have a 31 character password that i know which contains almost anything a password complexity policy would want, but i could still just use 123456 Smiley Tongue

Reply
0 Kudos
Problem sorter
  • 2.5K
  • 108
  • 509
Registered: ‎28-08-2009
Message 3 of 14 (200 Views)

Re: Idiotic password policy

still no excuse though

 For example, the thub 3 wifi password and admin password rules are horrendously complex ,  much stricter than the far more important master password for your account. [ the one that lets you order and buy stuff, change your address....  ]

That is nuts

 so is requiring the master massword to be stored within easy to lose / easy to hack mobile devices in order to stream to TV anywhere

 Virgin continue to play Ostrich with this issue

Tuning in
  • 9
  • 0
  • 8
Registered: ‎03-11-2013
Message 4 of 14 (189 Views)

Re: Idiotic password policy

You're missing the point Shane, or maybe I didn't make myself entirely clear.

Password complexity rules should always enforce a minimum level of complexity, they should never artificially enforce an upper limit. Reducing the keyspace by not allowing special characters or spaces just makes a hackers job easier, and a consumers job harder. Don't take my word for it, ask any pentester, white-hatter or black-hatter for that matter. There are devices and applications out there that would likely make short work of your random password.

Given the ever-increasing number of major security breaches at high profile online businesses over the years, this should be a copper-bottomed no-brainer to the Security Team of any organisation. Virgin have had this issue highlighted to them several times by both concerned consumers and professionals over recent years: does their apparent lackadaisical attitude to something so simple inspire confidence that your personal details are reasonably secure in their care? It doesn't inspire me with confidence. What does it say about their attitude to the nuts and bolts of IT security that are invisible to us as consumers? Can you be sure they even store your password in their database as a salted hash value? Do they even know what one is?

I'm more concerned by the lack of appropriate action since they were made aware of this issue than the problem itself.

 

Rising star
  • 1.09K
  • 32
  • 129
Registered: ‎09-07-2010
Message 5 of 14 (175 Views)

Re: Idiotic password policy


HeadLikeARock wrote:

You're missing the point Shane, or maybe I didn't make myself entirely clear.

Password complexity rules should always enforce a minimum level of complexity, they should never artificially enforce an upper limit. Reducing the keyspace by not allowing special characters or spaces just makes a hackers job easier, and a consumers job harder. Don't take my word for it, ask any pentester, white-hatter or black-hatter for that matter. There are devices and applications out there that would likely make short work of your random password.

Given the ever-increasing number of major security breaches at high profile online businesses over the years, this should be a copper-bottomed no-brainer to the Security Team of any organisation. Virgin have had this issue highlighted to them several times by both concerned consumers and professionals over recent years: does their apparent lackadaisical attitude to something so simple inspire confidence that your personal details are reasonably secure in their care? It doesn't inspire me with confidence. What does it say about their attitude to the nuts and bolts of IT security that are invisible to us as consumers? Can you be sure they even store your password in their database as a salted hash value? Do they even know what one is?

I'm more concerned by the lack of appropriate action since they were made aware of this issue than the problem itself.

 


Thing is, for the people who aren't tech savvy, and to a lesser extent myself, if the password complexity rules are too restrictive then people just won't bother signing up, if i get a site that won't just accept one of my own passwords then i don't bother, and i have passwords that already meet most password complexity requirements, no idea how their backend stores the data, i would like to hope its using a per user salt with a decent hash, i mean its really not that complicated to do, there are very well trusted known libraries out there you can hook in to, that or just offload your authentication to the likes of google to handle for you Smiley Tongue

So realistically speaking, the only real complexity minimum they can afford to enforce would be a mix of upper/lower alpha numeric with maybe a special character, try explaining password complexity to a 50 year old grandparent who is just ordering internet to keep the grandkids happy when they visit, while it would be nice for every site to demand a minimum password of 8 characters containing atleast 2 upper/lower atleast 2 number and atleast 2 special characters while not being a dictionary word or leet speak variation and not containing your real name, date of birth or house number, its not really possible to deploy as a whole to the internet, education takes time and its a losing battle sadly, just add 2FA and be done with it, its about all you can really do these days

Reply
0 Kudos
Tuning in
  • 9
  • 0
  • 8
Registered: ‎03-11-2013
Message 6 of 14 (170 Views)

Re: Idiotic password policy

That's the point I'm making - VM is enforcing a maximum password length of ten characters, and it bars you from using special characters! Their password rules ARE too restrictive, but not in a good way. 

Superfast
  • 191
  • 7
  • 73
Registered: ‎04-06-2015
Message 7 of 14 (164 Views)

Re: Idiotic password policy

10 characters isn't ideal, but it's far from "very poor" either.

62^10 is still a huge key space, especially as 62^12 is unbreakable if chosen correctly.  The restrictions don't suggest a lack of understanding, but rather a better understanding of the logistics of integrating several platforms, some of which are legacy.

Could they be better, sure.  Will they improve over time, absolutely... but if you're really concerned, don't use VM's "free" email and ensure your password is unique.

Rest assured, they understand the problem perfectly (including how to store passwords correctly).  They're stored insecurely right now, but not through a lack of understanding.

Wise owl
  • 3.26K
  • 175
  • 876
Registered: ‎09-09-2009
Message 8 of 14 (123 Views)

Re: Idiotic password policy

[ Edited ]
Reply
0 Kudos
Problem sorter
  • 2.5K
  • 108
  • 509
Registered: ‎28-08-2009
Message 9 of 14 (112 Views)

Re: Idiotic password policy

Please explain your final sentence

you say they know what to do, and how, so whats stopping them?

Reply
0 Kudos
Superfast
  • 191
  • 7
  • 73
Registered: ‎04-06-2015
Message 10 of 14 (109 Views)

Re: Idiotic password policy

Constraints from legacy equipment dating back 10+ years... plus a requirement to mirror credentials to systems on several different platforms.

In isolation, I understand the argument... but the suggestion that *nobody* at VM/Liberty Global understands passwords is utterly ludicrous.

Reply
0 Kudos