Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password Policies

rncross
On our wavelength

on ‎06-04-2022 15:55

I see now the IT media is picking upon Virgins ancient insecure password policy that explicitly puts customers at risk and explicitly does NOT follow modern IT standards.

See

https://www.theregister.com/2022/03/10/virgin_media_email_password_security/

Mandating that customers that must use insecure short passwords - and can't use 32 character passwords (of any type of character). And if this ( https://twitter.com/virginmedia/status/1162756227132198914?s=21 ) from 2019 is still true and they are not salting/hashing the passwords this is just a disaster waiting to happen.

3 REPLIES 3

Andrew-G
Alessandro Volta

on ‎08-04-2022 20:14

As with most Register articles, 99% of the real value is in the reader's comments.  Dig down, and you'll find out that on its own, ten characters is just fine unless VM have poor security elsewhere, and even then the topology (pattern, if you like) of the password is usually of greatest importance.  Obviously if VM have poor security elsewhere then you're stuffed, regardless.

For those with the stamina and baseline understanding to grasp the content, read this, (shamelessly reposed from the user comments) and extract from it the elements that are important to you.  If you like complex stuff as I do, it's a great read.

For those who look for the security of TL;DR, then random passwords are exceptionally difficult to crack, even with short lengths.  Your mission, should yo choose to accept it, is to use Excel to generate a random 10 character password, and then reset your VM password to that.

Tudor
Very Insightful Person
Very Insightful Person
In response to Andrew-G

on ‎09-04-2022 01:51

General Linux bash code to generate passwords, adjust to what you want;

num=10
len=20

echo " "

while [ $num -gt 0 ]
do
tr -dc A-Za-z0-9 < /dev/urandom | head -c ${len} | sed -e 's/...../-&/2g'
echo " "
echo " "
num=$(( $num - 1 ))
done


Tudor
There are 10 types of people: those who understand binary and those who don't and F people out of 10 who do not understand hexadecimal c1a2a285948293859940d9a49385a2
0 Kudos

rncross
On our wavelength
In response to Andrew-G

on ‎13-04-2022 12:06

While I would agree there is an interesting debate in the comments, the article itself still raises valid points and concerns. For instance, if they are storing passwords in plain text and not salting/hashing then that is a glaring hole in their internal security that could be compromised. Short random passwords are generally frowned upon by most governed and industry standard guidance and enforcing them is often symbolic of poor underlying coding. For instance, an unnecessary restriction on a DB table column. With a suitable GPU cloud setup it would be quite possible to break a 8 character password in hours. And it has been shown that psychologically random passwords are hard for humans to remember compared to long phrases (which by their very nature are impossible to crack).

 

0 Kudos
Top