Menu
Reply
Highlighted
  • 38
  • 0
  • 23
On our wavelength
256 Views
Message 1 of 3
Flag for a moderator

New VM email re:data breach - Password strength

Just received another email about the data breach and in there it is advised to make sure a strong password is used. Trouble is, VM only allow 8-10 characters and you don't allow special characters, only letters and numbers.

In the link you give on "How to create a strong password", that page says "The longer the password is, the less likely it is that someone else will be able to guess it or otherwise find out what it is." so why only allow up to 10 characters and only letters and numbers?

Come on guys, this data breach should be a MASSIVE wakeup call for VM and you MUST start tightening your security which includes changing your antiquated password limits!

With apps like Lastpass and Dashlane, they can generate very secure passwords but VM can't handle them! This is not good!

Are there any plans to improve the password policy with our VM logins?

Daz

0 Kudos
Reply
Highlighted
  • 4.62K
  • 847
  • 1.22K
Very Insightful Person
Very Insightful Person
243 Views
Message 2 of 3
Flag for a moderator

Re: New VM email re:data breach - Password strength

Hello

I understand where you come from but that is still a lot of passwords "839,299,365,868,340,224‬" and take over a million years to crack with the current technology have a look at https://www.betterbuys.com/estimating-password-cracking-times/ for education purposes.

Regards Mike

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 3.54K
  • 113
  • 425
Trouble shooter
227 Views
Message 3 of 3
Flag for a moderator

Re: New VM email re:data breach - Password strength

The only "recent" breach I know about didn't include passwords.  There was one (Virgin Media) in the past that allowed some account access without needing to log in (View Contacts, and Send emails).

10 digits is ample as it should only be used to stop a brute force attack.  Mixing letters and numbers is ideal.

8c852A68E30 is really a strong password.

The TakeHome bit from the data breach is that as a data controller they should be doing better to manage their internal security.  Targeted phishing attempts possibly have gone up due to this breach, but I must admit I haven't seen any.  You will know they are targeted as they will use personal details eyond your email name.  There are mixed reports about what was possibly leaked.  Virgin said it was "names, home and email addresses and phone numbers"

But the research company found it was.

Spoiler
* Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
* Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses. IMEI numbers associated with stolen phones.
* Subscriptions to the different aspects of their services, including premium components.
* The device type owned by the user, where relevant.
* The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
* Form submissions by users from their website.

It's hard to know how passwords are stored on VM servers too.  It's possible that stored passwords could go through multiple hashes, thus meaning that your password only  needs to stop brute-force style attacks.  It's also possible that they are stored in plain-text, so no matter how unique your password is then it's able to be read by anyone with ease.  I would say that 10 is enough and you shouldn't worry about it.  I would highly doubt Virgin is not using a one way salted hash, so if there ever was a theft of passwords then it would make things easier for someone to crack, but still time consuming (and costly).

If there ever was a huge theft of data (the password/key) then users with 10 digit passwords would have an extremely long time before those would generally be cracked.  Caveat - catdogmoon would be quite insecure leak or not.

----
I do not work for VM, but I would. It is just a Job.
Most things I say I make up and sometimes it's useful, don't be mean if it's wrong.
I would also make websites for them, because the job never seems to require the website to work.
0 Kudos
Reply