Reg reader rages over Virgin Media's email password policy

No more than 10 alphanumerics, no special characters – in 2022?

A Register reader has raised concerns over UK ISP Virgin Media's password policies after discovering he couldn't set a password longer than 10 characters or one that includes non-alphanumeric characters.

Our reader Nick told us he was facing repeated attempts to take control of an email account he owns – adding that the company's password policy left him vulnerable to what he described as a sustained brute-forcing attack.

"I am having a running battle with a hacker who is able to crack a 10-character password used for Virgin or Virginmedia email in less than a day," Nick complained, saying the attacker was setting up auto-forward rules to divert his emails as well as being able to guess newly reset passwords within a day.

He added that Virgin's password policy enforced weak-by-design choices on him which made his apparent attacker's efforts easier: the ISP's email account policy wouldn't allow him to set a password longer than 10 characters; nor would it allow him to add two-factor authentication (2FA); the first character had to be a letter; and non-alphanumeric characters weren't allowed.

A spokesperson for the Liberty Global-owned telco told The Register: "Ensuring customer data is secure is of utmost importance to us and we continually invest in our security systems to keep our customers safe online. Our login process requires customers to use unique passwords using a variety of up to 10 characters, enhanced by additional technical controls and anti-fraud measures which defend against unauthorised login attempts. Our engineers regularly update our systems to improve security, with further improvements due to be implemented in the near future."

However, on its website we note that the company says users should "aim for 8 to 12 characters" and use "symbols… or special characters."

Nick is not alone in wondering what Virgin's up to with email account passwords. Last year someone posted on their customer support forum asking for help setting a password that would pass Virgin's systems, to be told: "We do advise to use a password between 6-10 characters long, including at least 1 number, 1 capital letter, 1 lower case letter and ensuring that it isn't your surname or first name."

Another customer wondered why he was restricted to "maximum of 10 alpha numeric characters lower or upper case", adding: "Why are no special characters and longer than 10 alpha numeric passqwords allowed?" [sic]

Similarly, a Redditor posted a thread titled "It's 2021 and VirginMedia only allows password 8-10 characters long, letters and numbers only" complete with a screenshot of the password page explaining the requirements.

Meanwhile, in 2019, the company's social media operatives were confident enough to say this about their password policy:

Britain's National Cyber Security Centre, an offshoot of GCHQ, has this advice about email account passwords:

Machine-generated passwords eliminate those passwords that would be simple for an attacker to guess. They require little effort from the user to create, and can produce passwords that are random and unique. However, most machine-generated passwords are very difficult for people to remember. For this reason, the NCSC recommend that they should be used with a password manager.

Machine-generated passwords in this day and age all come with options to set non-alphanumeric characters and in lengths of greater than 10 characters – none of which, it appears, would pass Virgin Media's requirements.

Back in 2015, Virgin had to shift itself off Gmail for consumer email accounts after the adtech monolith dropped support for ISP accounts. It's had problems in the past with security as well; in 2020, 900,000 customers' records were dumped online thanks to a poorly secured database. ®

Broader topics

Other stories you might like

  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Password recovery from beyond the grave
    Does your disaster recovery plan include a mysterious missive at a funeral?

    On Call Every disaster recovery plan needs to contain the "hit by a bus" scenario. But have you ever retrieved a password from beyond the grave? One Register reader has. Welcome to On Call.

    Today's tale, told by a reader Regomized as "Mark" takes us back some 15 years when he was handling the IT needs for a doctor's office. The job was relatively simple and involved keeping the systems up and running as well as taking the odd call when things went wrong and he wasn't on-site.

    His contact at the practice worked at the reception desk, and Mark would exchange pleasantries with this individual on his way to deal with whatever that day's needs were. This went on for some time until there was a mysterious lull in contact. There was not a peep from the office until, after a few months, the on-call phone rang. It wasn't his usual contact, and Mark was asked if there any chance he could pop by?

    Continue reading
  • Okta says Lapsus$ incident was actually a brilliant zero trust demonstration
    Once former supplier Sitel coughed up its logs, it became apparent the attacker was hemmed in

    Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack.

    So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.

    Winterford explained that the incident started in January when an Okta analyst observed a support engineer at Sitel – Okta's (former) outsourced customer service provider – attempted to reset a password to Okta's systems but did so from outside the expected network range and did not attempt to fulfil a multifactor authentication challenge. That request sent the reset email to a Sitel email address managed under Microsoft 365 and was made with the attacker's own kit. That last item was highly unusual. Okta can see authentication requests made using the VMs Sitel used to provide support services. But Okta cannot see inside Sitel's MS365.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022