Menu
Reply
  • 2.33K
  • 34
  • 204
jhuk
Super solver
206 Views
Message 1 of 8
Flag for a moderator

Password strength

http://community.virginmedia.com/t5/Security-matters/My-Virgin-Media-password-strength/td-p/3463228/...

Seems the above thread did get closed even though MOD only actually hinted it may if it got out of hand.

I have just ran the Security Check-up on Lastpass and changed all my old passwords and fixed any issues.

Even the few sites that did not allow decent passwords in past now do apart from 3 sites.

I have contacted Astraweb and await a reply.

VM on the other hand I have no faith in anything getting done, but this very forum can have a password strong enough to score 100% in the security check but its not actually ran by VM at least once was not.

VM can only have letters and numbers no special characters and AFAIR about 7-10 long and one of the bellow sites must start with a letter (again AFAIR).

[MOD EDIT: Subject heading changed to assist community]

Capture.JPG

0 Kudos
Reply
  • 1.79K
  • 71
  • 288
shanematthews
Super solver
183 Views
Message 2 of 8
Flag for a moderator

Re: BUMP

Not sure what you're expecting, its not going to change, too many legacy systems in place that can't be updated to support higher requirements, its not happening

0 Kudos
Reply
  • 2.33K
  • 34
  • 204
jhuk
Super solver
176 Views
Message 3 of 8
Flag for a moderator

Re: BUMP

Not expecting much like someone's blood or 1st born, just same basic security even pr0n sites give in past 10 years.

And I am not sure why you are not sure as it was pretty clear from my post and the linked thread all I/we want is stronger password option.

Unlike the linked thread which was ruined by 1 fool I am not going to reply to any posts from naysayers as if the above mentioned sites can do it so can a big company like VM.

0 Kudos
Reply
  • 1.79K
  • 71
  • 288
shanematthews
Super solver
154 Views
Message 4 of 8
Flag for a moderator

Re: BUMP


@wrote:

Not expecting much like someone's blood or 1st born, just same basic security even pr0n sites give in past 10 years.

And I am not sure why you are not sure as it was pretty clear from my post and the linked thread all I/we want is stronger password option.

Unlike the linked thread which was ruined by 1 fool I am not going to reply to any posts from naysayers as if the above mentioned sites can do it so can a big company like VM.


See heres the thing, you cannot give options that the backend cannot support, the back end systems only support very specific password rules, they could change the front end to "allow" those passwords but the back end will still reject them, comparing the password requirements on a generic site isn't the same as a system that spans decades with hardware that is probably older than some of the customers VM sells to Smiley Tongue

The "I'm not sure what you're expecting" refers more to the fact that you seem to expect something that is physically impossible to happen, this thread isn't going to make VM go out and spend an absolute fortune replacing every single legacy system in the country just to allow for a slightly higher password complexity, i am well aware of what you're "asking" for but its not anywhere near as simple as you seem to think it is

0 Kudos
Reply
  • 1.61K
  • 174
  • 511
Superuser
Superuser
116 Views
Message 5 of 8
Flag for a moderator

Re: BUMP

IMHO, there is nothing like a data breach to shake that lethargy and make the previously perceived impossible / expensive suddenly achievable. 

  • 1.79K
  • 71
  • 288
shanematthews
Super solver
111 Views
Message 6 of 8
Flag for a moderator

Re: BUMP


@用心棒wrote:

IMHO, there is nothing like a data breach to shake that lethargy and make the previously perceived impossible / expensive suddenly achievable. 


To be fair, if it was going to happen, chances are it would have already, but that won't force them to redo the entire system they would just plug the hole they used to gain access and just send out password resets to all users

  • 8.74K
  • 562
  • 2.41K
Superuser
Superuser
59 Views
Message 7 of 8
Flag for a moderator

Re: BUMP

Just to pour fuel on the fire...

You are looking at one aspect of security in isolation. Password strength, whilst important in the case of a brute force attack, is irrelevant from the POV of other attack vectors. In fact even in the case of a brute force attack, other mitigating factors (number of attempts allowed per second, IP matching/blocking, SSL implemented or not etc etc etc) are important.

In fact Id argue a system that forces you to have separate passwords for email, fora and billing account is MORE secure than one that allows you a greater password strength but allows replication across  platforms. LCD and that.  Personally I couldn't even TELL you my email and MYVM account passwords because the requirements are so obscure.

Which means I haven't used the all too tempting "recycle a password" that breaks network security instantly. Used the same password on "Bobos cuddly toysRus" to order a gift for  your Valentine as your 3 VM log ins with now aligned 15 character requirements after an upgrade?

Yeah your goosed....

Breach "Bobos" with their off the peg GoDaddy premium security  and you've breached your VM/Bank/Amazon/Paypal cos whilst the requirements were STRONG in a password checker you used the same one...

Attack footprint is about MUCH more than vanilla password strength.

BlackHats are the same as any other criminal. They are looking for least effort and most reward. Throwing millions of processor cycles at a community forum password (as an example of what MAY be a SPF)  only to find it doesn't allow access to either email or billing is a waste of time/effort.

Whether by accident or design (Ill leave that to the reader) IMHO the fact that legacy systems have obscure requirements works in our favor.

 

 

 


0 Kudos
Reply
  • 216
  • 8
  • 78
PaulMoore
Superfast
32 Views
Message 8 of 8
Flag for a moderator

Re: BUMP

"In fact even in the case of a brute force attack, other mitigating factors (number of attempts allowed per second, IP matching/blocking, SSL implemented or not etc etc etc) are important."

Sorry Kippies, but that doesn't make sense.  Brute-force attacks just don't happen that way!  If an attacker has the hashes (if they were hashed in the first place!), attempts per second is limited to their hardware/algorithm... and IP matching/SSL makes no difference whatsoever.

"Id argue a system that forces you to have separate passwords for email, fora and billing account is MORE secure than one that allows you a greater password strength but allows replication across  platforms"

That'd be true if all those systems were inter-operable, but they're not.  You can easily set your MyVM password to the same as the forum, or the other way around.  Restrictions are a limitation on what the password could be, not an indication of what the password might be...

"Throwing millions of processor cycles at a community forum password (as an example of what MAY be a SPF)  only to find it doesn't allow access to either email or billing is a waste of time/effort."

If the attacker is using CPU cycles, they represent little/no threat.  Powerful GPU or multiples thereof... now they're a risk.  You'd be mistaken for believing that breaking a password, even if it doesn't immediately provide access to something more useful, is a waste of time or effort.  People choose poor passwords, we know this.  They'll stick to common trends.... caps at the start, DOBs at the end, special char replacements for numbers et al.  If we know how a user chooses passwords, we don't need to know their password.

The facts & figures are here: http://community.virginmedia.com/t5/Security-matters/VM-Password-Security-Some-facts-amp-figures/m-p...

TL;DR - 10 isn't great, but it's sufficient if chosen correctly.

0 Kudos
Reply