I have a handful of passwords I use for different types of services, all of them either have punctuation, or are longer than 10 characters. I have to invent a new one just for virgin media, I won't be able to remember it, so I'll have to write it down somewhere.
I agree that passwords could be more secure. For the vast majority of users, simplicity is better which is why we've set the limitations where we have. I'll send your feedback up and see if we can allow more complexity.
As a matter of fact, fewer rules for a password means less complexity, not more.
Here are two password policies:
A) 8 to 10 characters; letters and numbers only; no spaces; first character a letter
B) at least 8 characters
A) is what the OP claims to be VM's policy (I haven't checked whether this is accurate). B) is clearly much simpler. It is also more secure. Let me explain why.
Firstly, the removal of an upper limit allows longer passwords, and longer passwords are harder for an adversary to guess, all else being equal. Secondly, ANY restriction on the characters allowed in the password reduces the keyspace that has to be searched by an adversary. (Rules 2, 3, and 4 all fall foul of this fact.)
A wise person will choose a password that is hard to guess but easy to remember. Making up such passwords is not difficult. For example, one can choose a 'passphrase' - an expression or quotation or truism that one, say, remembers from schooldays - and then apply transformations to it in a way that is easy to recall. Here is a worked example from my schooldays. It's a Shakespeare quote from Julius Caesar, Act 1 scene ii.
The fault, dear Brutus, is not in our stars
But in ourselves, that we are underlings.
Now, that's not the password. We start by saying this is a quote from Shakespeare. The quote mark is ', so we'll start with 'WS (for 'quote William Shakespeare')
Then we take all the capitalisation and punctuation into account and use the first letter of each word, replacing any newline characters with spaces:
That's not a bad password in itself, but we can improve it by replacing the s (for 'stars') with ** (a couple of stars), giving:
That is obviously not a password I use, and simply because I've posted it here it isn't a password you should use either, but it's a good example of how to devise a secure password.
It's easy to remember (if you remember the passphrase). It's hard to guess. It contains no actual words (and thus is not subject to a dictionary attack). It doesn't bother with the somewhat obvious hack of changing i to 1 or o to 0, although of course it could, because that doesn't actually improve security unless you're using actual words (which you shouldn't).
Let's look at which VM rules it breaks:
1) it's longer than ten characters;
2) it contains non-alphanumeric characters;
3) it contains a space;
4) the first character is not a letter.
Oh, all of them.
Now, it looks complicated, I grant you. But to someone who knows how it was derived, the complexity is superficial. It is only really complicated if you don't know how it was derived.
Which is more secure? Well, let's take VM's rules and see how long it would take to brute-force them, assuming 10 alphanumeric characters starting with a letter. We will be charitable and assume VM distinguishes letter case. There are therefore 52*62^9=700,000 million million combinations. At a million crack attempts per second, this would take 22,000 years to brute force, which seems like plenty, doesn't it? The password I cite above has 25 characters, each chosen from 95 printable characters, which gives us 95^25 = well over 27 million million million million million million million million combinations (which would take 879,000 million million million million million years to brute-force). That's 40 million million million million million times as secure.
(In practice, adversaries don't bother with brute-forcing the entire keyspace. Most adversaries would content themselves with a dictionary attack, which would probably work against most current VM customer passwords.)
What is the impact on VM of simplifying their simple system to be truly simple? Well, that's easy - they can just REMOVE some validation rules and they're done. Any programmer claiming this is difficult needs to be redeployed, perhaps as a ticket inspector on VT.
What is the impact on customers? For people who just want a password like MYCATSOOTY the impact is... ZERO. It doesn't make their lives any more complicated at all. (Nor does it make their password particularly secure, but that's their choice, and that password is already allowed by VM's current rules.) In fact it makes their lives simpler, because "at least eight characters" is easier to understand than "at least eight characters, no more than ten, no spaces, letters and numbers only, first character a letter".
For people who actually want a secure password of their own choosing, the impact is very positive. They could have such a password at last.
VM say that more rules mean more simplicity. They are wrong. More rules mean less simplicity and less security.
(Ernie: before you start... :-) this is actually my field and I DO know what I'm talking about on this occasion!)
Totally agree with this. I came to these forums to find out why the password policy is so shockingly bad.
I think the general answers the staff have been given about keeping it simple is not really a valid base; surely giving people freedom to choose their password lengths and structure is going to reduce the amount of complexity.
I use a password manager to keep super secure logins safe but being forced to use one which is within such a tiny threshold, to me, is a big problem. Would be fairly simple to remove some of the rules validating input when people sign up for an account so should be reasonably quick to implement.
Really, really big issue and makes me wonder about the 'security' which is placed on the routers if this kind of mentality is being applied across the board.
Just recently signed up for Virgin Broadband, and trying to register on the Virgin Media site, to be confronted with this ridiculous nonsense of a password policy. Could not use any of my standard passwords (all of which exceed Virgin's complexity requirements).
Restricting maximum password length is just plain stupid.
Restricting the allowed character set is either lazy, or stupid, or both. (Lazy because it's sometimes easier to do this to prevent reserved characters in passwords breaking some storage or transmission protocols unless escaped while processing).
Enforcing the first letter to be a alphabet character is just plain bonkers... and makes absolutely no sense. Great gift to brute force hackers out there.
Finally consent to enter a disgustingly insecure password (in my opinion) to be able to access... then find I cannot sign in with the Pale Moon browser. Find out with some research that this is due to Virgin Media using an outdated encrypting scheme in its secure http protocol that is no longer allowed/supported by Pale Moon (and the latest version of the other major browsers). Looking in these forums, the response seems to be 'Meh... use an earlier browser version'.
This is a company I am meant to be entrusting my internet connection security to... and the security of my data on their site... and they have THIS approach to security?
It's been a bad start to the relationship, is all I can say...
Obviously everyone is right how poor this is, but I just discovered it's even worse...
I just phoned in, and was asked for several letters of my password for "security". So these low quality passwords are being stored clear rather than hashed. Double doh:-(
The password you're asked for on the phone is not in the same system or taken from the same data source as the one that's used for website sign in.
The password for the website cannot be accessed or seen within the agent systems. The only option agents have is to reset the website password to a new value once other security checks are passed. But even once this is done the new value is not displayed anywhere, even to the agent who has just reset it.
The password you're asked for on the phone is stored in plain text as it's used for contact verification and DPA compliance i.e. it must visible to agents so they can ask you to confirm it or part of it during a conversation. You're prompted for characters of this verification password within the automated phone system to use the automated tools within the phone system, and in place of being asked for the password by an agent if you then choose to speak to one.
So only if you've chosen to make these two passwords the same value are they the same. Even then an agent would not be aware they they are set the same unless you advise them of that fact.
********************************** I work for Virgin Media - but all opinions posted here are my own
It's just very, very sloppy programming and a very poor policy that takes almost no consideration of the need for complexity in passwords, I agree. The irony is that, to log into this forum, you need a complex password that will accept other characters and can be complex. Getting into your personal details (bank etc.), yeah, they don't give a monkey's about that. I find it a real struggle to think of non complex passwords on their systems.