Menu
Reply
  • 6
  • 0
  • 4
tjure
Tuning in
260 Views
Message 1 of 6
Flag for a moderator

Password too long? Really!?

I'm trying to change my password on my VM account (my.virginmedia.com), and I can't use a password longer than 10 characters. Seriously!?

The current rules seem to be: 8-10 characters long, letters and numbers only, no spaces. First character must be a letter.

Sorry, but who invents these restrictions? Why put an upper limit to the password length at all?

And while I'm ranting, why is an email address with a plus character not accepted as valid?

0 Kudos
Reply
  • 2.74K
  • 301
  • 893
Superuser
Superuser
239 Views
Message 2 of 6
Flag for a moderator

Re: Password too long? Really!?


@tjure  wrote:

I'm trying to change my password on my VM account (my.virginmedia.com), and I can't use a password longer than 10 characters. Seriously!?

The current rules seem to be: 8-10 characters long, letters and numbers only, no spaces. First character must be a letter.

Sorry, but who invents these restrictions? Why put an upper limit to the password length at all?


Search the Security matters board and you will see similar sentiments expressed along with suggested reasons for the limitation and mitigating argument.

And while I'm ranting, why is an email address with a plus character not accepted as valid?


Where are you seeing this?

0 Kudos
Reply
  • 6
  • 0
  • 4
tjure
Tuning in
216 Views
Message 3 of 6
Flag for a moderator

Re: Password too long? Really!?


@用心棒 wrote:

Search the Security matters board and you will see similar sentiments expressed along with suggested reasons for the limitation and mitigating argument.

Ok, passwords passed along legacy systems, that explains it, but that doesn't make me feel any more secure, to be honest. I am specifying a separate password for each site (derived from a constant string and parts of the domain name), essentially to make it a bit more difficult using my username/password automatically on different sites after a security breach. When sites impose arbitrary limitations on the shape and form of the password then this makes it more difficult to come up with a scheme that works for most sites.


@用心棒 wrote:

And while I'm ranting, why is an email address with a plus character not accepted as valid?


Where are you seeing this?


On the "My Profile" page (https://my.virginmedia.com/my-profile/view) in both the "Username and password" and the "Contact details" sections. When I specify a mail containing a plus sign, then the mail is not accepted. I don't get an error message, but the "Update" button simply has no effect. This might simply be a problem in the Javascript validator, but effectively that makes it impossible to add a mail containing a '+' character.

Why would anyone want a plus sign in the address? See e.g. here: https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html

0 Kudos
Reply
  • 46
  • 0
  • 2
cod
Tuning in
213 Views
Message 4 of 6
Flag for a moderator

Re: Password too long? Really!?

The password requirements are dumb, particularly in this day and age. My passwords for all sites are 14 to 20 characters long, include numbers, upper and lower case letters, and special characters, and are randomly generated, and automatically changed every six months or so. I use a password management service, so even I don't know my passwords, other than my master one. My security challenge score is always compromised because I can't use a decent password on Virgin Media (short length, no special characters, has to start with a letter, etc).

The amusing (in an ironic way) thing is that Virgin say "At Virgin Media, we like to make sure we're keeping your info nice and secure" - and then they ask you to use a password that a brute force cracker should be able to uncover in a fairly short amount of time!

0 Kudos
Reply
  • 2.74K
  • 301
  • 893
Superuser
Superuser
197 Views
Message 5 of 6
Flag for a moderator

Re: Password too long? Really!?

@tjure wrote:

On the "My Profile" page (https://my.virginmedia.com/my-profile/view) in both the "Username and password" and the "Contact details" sections. When I specify a mail containing a plus sign, then the mail is not accepted. I don't get an error message, but the "Update" button simply has no effect. This might simply be a problem in the Javascript validator, but effectively that makes it impossible to add a mail containing a '+' character.

Submitting the update results in a 500 Internal Server Error status; view web browser's network traffic in developer mode.

Whilst the plus sign is a valid symbol within the local part of an email address how it is handled is dependent on receipt's server; Virgin Media have chosen to handle it as a unique mailbox ID (see footnote) whereas Gmail treat it as a sub-address of the mailbox. @ModTeam is this something that is likely to be addressed given most customers probably stick with the default assigned Virgin Media email address?

Footnote
Sub-addressed emails are handled differently depending on point of origin, for example an email to richard.branson+fyi@virginmedia.com would be:

  • undelivered because mailbox richard.branson+fyi is unknown when sent via an email / webmail client
  • delivered to richard.branson's mailbox if sent via Virgin Media's webmail client
  • 6
  • 0
  • 4
tjure
Tuning in
176 Views
Message 6 of 6
Flag for a moderator

Re: Password too long? Really!?


@用心棒 wrote:

Submitting the update results in a 500 Internal Server Error status; view web browser's network traffic in developer mode.

Whilst the plus sign is a valid symbol within the local part of an email address how it is handled is dependent on receipt's server; Virgin Media have chosen to handle it as a unique mailbox ID (see footnote) whereas Gmail treat it as a sub-address of the mailbox. @ModTeam is this something that is likely to be addressed given most customers probably stick with the default assigned Virgin Media email address?


Oh thanks for checking the server response. I wonder if these type of errors are monitored in VM in the logs. :-)

If VM is going to allow the + sign in the local part of email addresses from non-VM domains, I strongly suggest to treat it as a unique mailbox ID, and not as a sub-address, since it is impossible to establish from the outside whether a mail server treats the + character in an email address like Google or not.

0 Kudos
Reply