Menu
Reply
  • 13
  • 0
  • 3
Andyjenk2
Tuning in
287 Views
Message 1 of 16
Flag for a moderator

VM password strengths

If someone has hacked your VM email password which is only a max of 10 alphanumeric characters then in most cases they tell any site that they have forgotten your password and they will send you a link to change the password. So it does not matter how long or complicated your passwords are they are only as strong as your email password. I told Virgin Media this over a year ago and they dismissed it as not a problem. 10 alphanumeric characters is ludicrous with modern technology.

I call it criminal neglect on the part of VM.

  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
270 Views
Message 2 of 16
Flag for a moderator

Re: VM password strengths

@ModTeam - Can we get this raised to security for review.  I actually agree with this statement.  IMHO so long as the user is using characters from the ASCII printables (ASCII codes 32 - 126) Then the password should be valid and shouldn't cause any issues, so there is no viable excuse to only allow alphanumeric characters.  Likewise the 10 character limit is archaic and should also be reviewed.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
Highlighted
  • 4.94K
  • 146
  • 1.68K
Community Lead
Community Lead
256 Views
Message 3 of 16
Flag for a moderator

Re: VM password strengths

Ensuring customer data is secure is of utmost importance to us and we continually invest in our security systems to keep our customers safe online.

In common with every other company, our login process requires customers to use unique passwords using a variety of characters. Additional technical controls and anti-fraud measures defend against unauthorised login attempts.

Our engineers regularly review our systems and carry out updates - increasing password length and complexity is a priority.

More information on setting strong passwords can be found here: http://virginmedia.com/strongpassword


New around here? To find out more about the Community check out our Getting Started guide


0 Kudos
Reply
  • 214
  • 8
  • 78
PaulMoore
Superfast
249 Views
Message 4 of 16
Flag for a moderator

Re: VM password strengths

Trouble is James, the advice on http://virginmedia.com/strongpassword is appalling.

1.  be between 8 and 10 characters long
Would prefer to see 12 as a minimum, but 10 isn't bad.

2.  begin with a letter
Reduces entropy, but I appreciate this is a legacy requirement.

3.  consist of only letters and numbers (no special character like #&@*)
Again, special chars would be better but it's possible to make a very strong 10 character, mix-alphanumeric password.

4.  contain at least one number
Good.

"For example, instead of writing the letter 'S', you could use the number 5, which looks very similar. The same applies for other letter and number combinations. Here are some more examples."

In reality, this offers no additional protection whatsoever.

Ultimately, if you allow your password manager to choose a truly random, 10-character mix-alphanumeric password (providing 62^10), you already have a very strong password capable of withstanding modern hash cracking rigs for months (even with antiquated hashing algos); generic PCs with single GPUs would take decades.  It really isn't as insecure as it first appears... if we ignore the lack of hashing at Virgin Media.

  • 1.43K
  • 154
  • 457
Superuser
Superuser
230 Views
Message 5 of 16
Flag for a moderator

Re: VM password strengths

That password advice is neither enforced nor is it present on the password change web page, for instance, a user can set their password to be their username plus padding – a password of <username>123 is “Good” and <Username>123 is “Strong”. Simply enforcing the password advice would help to reduce the risk users face whilst a robust solution to the problem is sought; cannot understand why this was not done during those regularly reviews and updates.

0 Kudos
Reply
  • 3.99K
  • 202
  • 894
cybmole
Community elder
216 Views
Message 6 of 16
Flag for a moderator

Re: VM password strengths

Surely you don't believe that BS about regular engineer  reviews and increasing length is a priority

I publicly challenge James to post the date of the last such review and a summary of the security improvements plus their implementation date.

We have had the 8+to 10 maximim character rule for years

0 Kudos
Reply
  • 13
  • 0
  • 3
Andyjenk2
Tuning in
209 Views
Message 7 of 16
Flag for a moderator

Re: VM password strengths

Some suggestions for improving password security.

What follows is belt and braces but you can tailor it as you like.

1. Set up an email account with another provider which allows long and complex passwords. Use that when you register on a website so any reminders go there. You can use it solely for this purpose if you wish.

2. Create a text file on a USB stick (you can get micro usb adapters). You probably have plenty of low capacity ones lying around.

3. With the internet DISCONNECTED add your passwords for each web site to this document.

They can be as long and complex as the website allows.

4. Encrypt the text file (plenty of free software to do this).

5. Use a MEMORABLE password for this file. A good place to store a reminder is to send it in an email to you from another of your email addresses.

6. Create a back up usb stick and store it in a safe place.

7. Remove the USB stick.

8. Reconnect the internet.

9. When you need to input a password, disconnect the internet, insert the usb stick, decrypt the file and copy the appropriate password, detach the USB stick, reconnect the internet and paste in the password.

10. DO NOT LET ANY BROWSER REMEMBER YOUR PASSWORD.

11. You can carry the USB stick in pocket or purse. It is no good to anyone without one of your devices.

12. Unless you lose or damage your USB sticks you should never need to say you have forgotten your password.

This way only one password is ever exposed to the internet at a time. Because it is copy and paste no keystroke recorders can detect it.

I admit it is overkill but I know of no other way to guarantee your passwords are safe.

P.S. You can use a spread sheet instead of a text file.

SD cards are OK but more likely to be lost.

It's a great way to make use of your old low capacity USB Sticks.

Store Bank account, credit and debit numbers etc. and personal details in the file or another encrypted file.

If anyone has a better alternative, please share.

 

 

 

 

0 Kudos
Reply
  • 3.99K
  • 202
  • 894
cybmole
Community elder
207 Views
Message 8 of 16
Flag for a moderator

Re: VM password strengths

Er.. you never heard of last pass and other similar products. They do that, without the hassle of you carting a usb stick about.

And with your method, what's the fall back when that usb stops working, that happens.

The one sensible answer is to never use virgin e-mail for commercial website logins. Get Gmail or similar with two step authentication and shop with that.

  • 13
  • 0
  • 3
Andyjenk2
Tuning in
197 Views
Message 9 of 16
Flag for a moderator

Re: VM password strengths

Er...Lose your device and they can crack your data. If it is on USB and not attached to your device there is no way in hell they can crack it. It is NOT THERE.
Er...6. Create a back up usb stick and store it in a safe place. What's the fall back when WHEREVER your passwords are stored stops working? That happens.
It depends on the two step authentication.If it is a phone call and you have lost your phone you cannot reply to it. What happens then? People with Gmail and long complex passwords either have excellent memories or store the password somewhere - usually on the device. Passwords entered by keystroke can be recorded with a keystroke logger.
0 Kudos
Reply
  • 1.43K
  • 154
  • 457
Superuser
Superuser
182 Views
Message 10 of 16
Flag for a moderator

Re: VM password strengths

Andyjenk2 wrote:

 Passwords entered by keystroke can be recorded with a keystroke logger.

Keystroke loggers can also record what is on your clipboard and a lot more, see Wikipedia article, Keystroke logging, related features

BTW, Some password managers  can be run directly from a USB key

0 Kudos
Reply