Virgin Media’s Password Policy Is Probably Bad

10th July 2015

Passwords run our life nowadays.

We’ve become accustomed to password policies which have a minimum character limit (8 seems pretty standard), don’t let us have the same password as our username, don’t let the password be our name (depending on how much the system knows about you) and a host of other seemingly strange rules.

Most of these are in our best interest, your username can be public so don’t use that unless you want people to get into your account for example. Suggested rules tend to also be things like, don’t use your birthday, your child’s name, basically anything personal which can be guessed or mined out of your Facebook account.

Rules are important. but they should be to enhance security rather than limit it – Emma McCall, Security Consultant at A&O Corsaire

What companies do with your password can vary, at the very minimum it should be salted and then hashed (salted – have a word/phrase/random string added to it, hashed – turned into a garbage string which makes no sense to anyone, even you). Then when you try and login, your password attempt goes through the same process and is then confirmed against what the system has stored about you. This means that even if people broke into the system and got your password, they shouldn’t be able to do much with it since it is not stored in plain text (not stored as what you actually type in).

Virgin Media’s rules are slightly… off.

  • Maximum character limit of 10
    • Why? Surely they’re being hashed anyway which turns them into giant strings so… why does it matter the size of what I put in? Also, why such a low limit? It’s well proven that the longer your password, the more difficult it is to crack, many experts recommend a minimum of 12 characters, and as computing power increases so does this number.
  • Numbers and letters only
    • Again, why? Limiting what characters the user inputs doesn’t increase security (unless they’re storing everything in plaintext and are worried about injection attacks…. oh god I hope not, that’s meaning they haven’t sanitized the input to make sure users can’t play havoc by entering code into the password box.)
  • Must start with a letter
    • Why? Again, it’s being hashed right? So your database doesn’t care what it starts with! RIGHT?!

As said before, rules are supposed to enhance security. These don’t appear to. By making very complex rules, it makes them harder to remember, when they’re harder to remember, people either make them something to guess or they write them down. Also, the more rules you introduce, the fewer passwords hackers need to guess to crack through, so you’re actually doing hackers a favour by telling them what they don’t need to waste their time guessing!

Be sensible with your passwords, and if the rules don’t seem to help you be secure, question why they’re there at all.

Virgin Media have been asked about their policy but they haven’t got back to anyone.