Menu
Reply
Highlighted
  • 4
  • 0
  • 0
Joining in
117 Views
Message 1 of 4
Flag for a moderator

Virginmedia account passwords limit is low strength

Given the recent data breach giving the world a list of VM accounts. Will VM be changing its accounts to allow passwords longer than 10 characters without the limitation of only letters and numbers?

Passwords under 12 characters are generally seen as medium to low strength in the cyber industry and other web sites. The limitation of only letters and numbers makes VM passwords of 10 characters equivalent to 9 or 8 characters with full set available. This is low strength on most other sites.

0 Kudos
Reply
Highlighted
  • 12.09K
  • 817
  • 3.59K
Very Insightful Person
Very Insightful Person
100 Views
Message 2 of 4
Flag for a moderator

Re: Virginmedia account passwords limit is low strength

Changing the requirement to a bazillion characters and requiring a mix of ancient Aramaic and Klingon wont help if they leave your data unsecured on the internet for all to see. Which is what they did.

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 4
  • 0
  • 0
Joining in
91 Views
Message 3 of 4
Flag for a moderator

Re: Virginmedia account passwords limit is low strength

True if they had lost the passwords. The VM announcement was that the ID was lost but not the passwords. The ID gives a hacker something to go for - at which point password complexity becomes important.

0 Kudos
Reply
Highlighted
  • 12.09K
  • 817
  • 3.59K
Very Insightful Person
Very Insightful Person
75 Views
Message 4 of 4
Flag for a moderator

Re: Virginmedia account passwords limit is low strength

No it doesn't .

Password "strength" by increasing character length is only relevant if you have the  Dbase and want to brute force passwords or hashes offline. Better to increase entropy by  allowing different characters, rather than increasing length, in most cases. Add in , say negating against known breached passwords, you got a securish system with 10 characters.

The other attack you allude to, having enough details to do spear phishing, is far more relevant in the case of this breach.

Add in the fact that different VM logins have different requirements,and that there are other factors (rate limiting for one ) in play, and you have fairly strong resistance to brute forcing.

That leaves social engineering as the likely attack vector- which pretty much makes password length, entropy or whatever an irrelevance.

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply