on 06-04-2022 15:55
I see now the IT media is picking upon Virgins ancient insecure password policy that explicitly puts customers at risk and explicitly does NOT follow modern IT standards.
See
https://www.theregister.com/2022/03/10/virgin_media_email_password_security/
Mandating that customers that must use insecure short passwords - and can't use 32 character passwords (of any type of character). And if this ( https://twitter.com/virginmedia/status/1162756227132198914?s=21 ) from 2019 is still true and they are not salting/hashing the passwords this is just a disaster waiting to happen.
on 08-04-2022 20:14
As with most Register articles, 99% of the real value is in the reader's comments. Dig down, and you'll find out that on its own, ten characters is just fine unless VM have poor security elsewhere, and even then the topology (pattern, if you like) of the password is usually of greatest importance. Obviously if VM have poor security elsewhere then you're stuffed, regardless.
For those with the stamina and baseline understanding to grasp the content, read this, (shamelessly reposed from the user comments) and extract from it the elements that are important to you. If you like complex stuff as I do, it's a great read.
For those who look for the security of TL;DR, then random passwords are exceptionally difficult to crack, even with short lengths. Your mission, should yo choose to accept it, is to use Excel to generate a random 10 character password, and then reset your VM password to that.
on 09-04-2022 01:51
General Linux bash code to generate passwords, adjust to what you want;
num=10
len=20
echo " "
while [ $num -gt 0 ]
do
tr -dc A-Za-z0-9 < /dev/urandom | head -c ${len} | sed -e 's/...../-&/2g'
echo " "
echo " "
num=$(( $num - 1 ))
done
on 13-04-2022 12:06
While I would agree there is an interesting debate in the comments, the article itself still raises valid points and concerns. For instance, if they are storing passwords in plain text and not salting/hashing then that is a glaring hole in their internal security that could be compromised. Short random passwords are generally frowned upon by most governed and industry standard guidance and enforcing them is often symbolic of poor underlying coding. For instance, an unnecessary restriction on a DB table column. With a suitable GPU cloud setup it would be quite possible to break a 8 character password in hours. And it has been shown that psychologically random passwords are hard for humans to remember compared to long phrases (which by their very nature are impossible to crack).