If someone has hacked your VM email password which is only a max of 10 alphanumeric characters then in most cases they tell any site that they have forgotten your password and they will send you a link to change the password. So it does not matter how long or complicated your passwords are they are only as strong as your email password. I told Virgin Media this over a year ago and they dismissed it as not a problem. 10 alphanumeric characters is ludicrous with modern technology.
@ModTeam - Can we get this raised to security for review. I actually agree with this statement. IMHO so long as the user is using characters from the ASCII printables (ASCII codes 32 - 126) Then the password should be valid and shouldn't cause any issues, so there is no viable excuse to only allow alphanumeric characters. Likewise the 10 character limit is archaic and should also be reviewed.
Only use Helpful answer if your problems been solved.
Ensuring customer data is secure is of utmost importance to us and we continually invest in our security systems to keep our customers safe online.
In common with every other company, our login process requires customers to use unique passwords using a variety of characters. Additional technical controls and anti-fraud measures defend against unauthorised login attempts.
Our engineers regularly review our systems and carry out updates - increasing password length and complexity is a priority.
1. be between 8 and 10 characters long Would prefer to see 12 as a minimum, but 10 isn't bad.
2. begin with a letter Reduces entropy, but I appreciate this is a legacy requirement.
3. consist of only letters and numbers (no special character like #&@*) Again, special chars would be better but it's possible to make a very strong 10 character, mix-alphanumeric password.
4. contain at least one number Good.
"For example, instead of writing the letter 'S', you could use the number 5, which looks very similar. The same applies for other letter and number combinations. Here are some more examples."
In reality, this offers no additional protection whatsoever.
Ultimately, if you allow your password manager to choose a truly random, 10-character mix-alphanumeric password (providing 62^10), you already have a very strong password capable of withstanding modern hash cracking rigs for months (even with antiquated hashing algos); generic PCs with single GPUs would take decades. It really isn't as insecure as it first appears... if we ignore the lack of hashing at Virgin Media.
That password advice is neither enforced nor is it present on the password change web page, for instance, a user can set their password to be their username plus padding – a password of <username>123 is “Good” and <Username>123 is “Strong”. Simply enforcing the password advice would help to reduce the risk users face whilst a robust solution to the problem is sought; cannot understand why this was not done during those regularly reviews and updates.
What follows is belt and braces but you can tailor it as you like.
1. Set up an email account with another provider which allows long and complex passwords. Use that when you register on a website so any reminders go there. You can use it solely for this purpose if you wish.
2. Create a text file on a USB stick (you can get micro usb adapters). You probably have plenty of low capacity ones lying around.
3. With the internet DISCONNECTED add your passwords for each web site to this document.
They can be as long and complex as the website allows.
4. Encrypt the text file (plenty of free software to do this).
5. Use a MEMORABLE password for this file. A good place to store a reminder is to send it in an email to you from another of your email addresses.
6. Create a back up usb stick and store it in a safe place.
7. Remove the USB stick.
8. Reconnect the internet.
9. When you need to input a password, disconnect the internet, insert the usb stick, decrypt the file and copy the appropriate password, detach the USB stick, reconnect the internet and paste in the password.
10. DO NOT LET ANY BROWSER REMEMBER YOUR PASSWORD.
11. You can carry the USB stick in pocket or purse. It is no good to anyone without one of your devices.
12. Unless you lose or damage your USB sticks you should never need to say you have forgotten your password.
This way only one password is ever exposed to the internet at a time. Because it is copy and paste no keystroke recorders can detect it.
I admit it is overkill but I know of no other way to guarantee your passwords are safe.
P.S. You can use a spread sheet instead of a text file.
SD cards are OK but more likely to be lost.
It's a great way to make use of your old low capacity USB Sticks.
Store Bank account, credit and debit numbers etc. and personal details in the file or another encrypted file.
Er...Lose your device and they can crack your data. If it is on USB and not attached to your device there is no way in hell they can crack it. It is NOT THERE. Er...6. Create a back up usb stick and store it in a safe place. What's the fall back when WHEREVER your passwords are stored stops working? That happens. It depends on the two step authentication.If it is a phone call and you have lost your phone you cannot reply to it. What happens then? People with Gmail and long complex passwords either have excellent memories or store the password somewhere - usually on the device. Passwords entered by keystroke can be recorded with a keystroke logger.