Note #12736

Virgin Media password form, requiring 8-10 characters

2004 called, @virginmedia. They asked me to remind you that maximum password lengths and prohibiting pasting makes your security worse, not better. @PWTooStrong

In more detail:

  • Why would you set an upper limit on security? It can’t be for space/capacity reasons because you’re hashing my password anyway in accordance with best security practice, right? (Right?)
  • Why would you exclude spaces, punctuation, and other “special” characters? If you’re afraid of injection attacks, you’re doing escaping wrong (and again: aren’t you hashing anyway?). Or are you just afraid that one of your users might pick a strong password? Same for the “starts with a letter” limitation.
  • Composition rules like “doesn’t contain the same character twice in a row” reflects wooly thinking on that part of your IT team: you’re saying for example that “abababab” is more-secure than “abccefgh”. Consider using exclusion lists/blacklists for known-compromised/common passwords e.g. with HaveIBeenPwned and/or use entropy-based rather than composition-based rules e.g. with zxcvbn.
  • Disallowing pasting into password fields does nothing to prevent brute-force/automated attacks but frustrates users who use password managers (by forcing them to retype their passwords, you may actually be reducing their security as well as increasing the likelihood of mistakes) and can have an impact on accessibility too.
  • Counterarguments I anticipate: (a) it’s for your security – no it’s not; go read any of the literature from the last decade and a half, (b) it’s necessary for integration with a legacy system – that doesn’t fill me with confidence: if your legacy system is reducing your security, you need to update or replace your legacy system or else you’re setting yourself up to be the next Marriott, Equifax, or Friend Finder Network.
  • It’s definitely not the first time you’ve been told. Get your act together.

7 comments

  1. Virgin Media Virgin Media says:

    Hi there. Can we help you with anything on here at all? ^PD

    Read more →

  2. Virgin Media Virgin Media says:

    Hi there. Can we help you with anything on here at all? ^PD

  3. Dan Q Dan Q says:

    Just pass on my tweet (or danq.me/2019/01/03/127…) to your technical team and get them to fix your password policy, because it’s really, really broken and you’re neddlessly weakening the security of you and your customers’ data as a result.

    Read more →

  4. Virgin Media Virgin Media says:

    Thank you for your feedback. More information on setting strong passwords can be found here virg.in/Zun ^PD

    Read more →

  5. Dan Q Dan Q says:

    Your advice on setting strong passwords is as outdated as your password policy. You need to fix that, too.

    Read more →

  6. Virgin Media Virgin Media says:

    Thank you for your feedback on this. We appreciate it ^PD

    Read more →

Reply here

Your email address will not be published. Required fields are marked *

Reply on your own site

Reply by email

I'd love to hear what you think. Send an email to b12736@danq.me; be sure to let me know if you're happy for your comment to appear on the Web!