Virgin Media blocks 'wankers' from permissible passwords Virgin Media likes its fun-and-slightly-naughty image, but not, it seems, in its passwords. El Reg hadn't noticed until someone brought it to our attention, but the JavaScript plug-in the company uses for assessing password strength also censors passwords on the way in. Virgin's version of the plug-in is a 2009 update to the …
If you use it once, will it break?
My favourite password story comes from the very first network install I was involved with, about 25 years ago. Netware v2, and so wonderfully secure that when the admin changed the supervisor password to "fuckme", it did: it accepted the password change, then wouldn't let him log in again. He ended up nuking the install and starting again from scratch.
I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped.
As for blocking any passwords that contain those strings? I can only imagine the confusion caused by some of the shorter ones on that list. I can't use Gr33nigl00 for example.
Block lists aren't exactly a new thing, the more heinous crime is that Virgin constrain the password length to 8-10 characters.
"I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped."
Whoever added that to the list is probably confusing it with fenian.
I say "confusing it with" because fenian is not itself on the list, so not only are they applying censorship to something nobody other than the person using the password should ever see anyway, but in this case they are censoring the wrong word. (For that matter, is Finian not a perfectly valid name? I'm sure I knew someone called that when I was kid - if not that, it was very close!)
simply because the have a rule that blocks the 'll' in this word. Two consequitive character identical is a big no-no in many an AD setup.
Rather silly really because the hackers would have a better chance of getting a password hit because of this rule.
Anyone with even an elementary understanding of Cryptography would know this.
**
One of the flaws with the German Enigma machine was that no letter/number could be encrypted as itself. Not allowing 'll' is a mistake of the same order IMHO.
Really the Welsh should be in there complaining about discrimination, because ll is an actual letter in Welsh.
You are right about the cryptographic flaw in the Enigma; the second biggest flaw in the system was that the German high command put too much trust in their machines so, faced with an apparent leak of information, they went hunting for spies rather than looking to see if the machine could be hacked,
Sloppy javascript at it's finest.
If the list includes the word "bollock" and the regex match excludes all words containing the term, there is no need to include the word "bollocks", since it is excluded by default. Same for all variations of "f*ck", and "clit".
The list also appears to taken from an American script, because of the spelling of words such as "pedo".
Come on Virgin, get yourself some proper developers! - or, pass this on to your webdev agency.
> The list also appears to taken from an American script
As is usually the case with lists of "popular" passwords.
ISTM the simplest way to obtain an uncrackable password is just to use a non-english (or non-american) word. And if you can get some non-ASCII into it, you're gÖlden.
I'm pretty sure the same applies to "bad word" filters, too.
Its not just swear words, at a company i used to work at... (think it arm of company that does disability tests) they suddenly added permanent filters to all corporate laptops, which a lot of us used in the evenings when in our hotels to watch youtube and check email on gmail etc.
The following sites were blocked
Youtube
Linked In
Gmail
AOL
Yahoo
And the interesting thing is that even when not on the VPN they were blocked with the message
Access Denied - Access only for Top Management.
Clearly a company that thought, and with good reason, that it might have less than happy employees, and was trying to prevent them from using anything that might help them get another job.
... or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder.
A company is not always evil because it stops you from doing something stupid that could cost you your job. The really clever ones have internal Internet cafes on systems which are isolated from the main network, that way people can still get their fix without linking to the trust environment. I know one setup that even locks personal mobiles away, but they do handle rather sensitive information.
"or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder"
So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?
So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?
Maybe I'm fortunate, but in the places I have worked it usually was a policy *instigated* by senior management (usually after the corporate lawyers explained the consequences of not doing it).
I agree that this is not exactly common practice, though :(
I believe its entirely possible that I've not long finished working for that company, and yes, they did encrypt everything. I don't recall a message about "top management" however, but they were certainly big enough tossers to do something like that.
It was clear, each and every day, that they trusted management, demanded results without resources and wanted to reduce technical headcount constantly.
A**s....sorry, *they* were deeply stupid as a company and that probably explains why they've been losing contracts hand over fist of late and are not long for the UK market.
There are many corporate proxies/firewalls out there that will simply give empty responses for URIs with what they consider unacceptable words in them.
One system I worked on generated SAML SSO messages, which have base64 encoded encrypted XML in the URI (SAML is fun like that), and some clients inconsistently would tell us that the site was broken or they had to log in twice, things like that. We eventually tracked down that the failing URIs worked correctly on our side, and noticed that the URLs had things like "c0ck" in them..
One fun afternoon later we had derived a list of the most common swearwords, and now the URIs are generated in a loop until we get a URI without an unintended swear word - its the same XML message each time through the loop, but with a new session encryption key, so the URI changes.
We have clients globally, it seemed only US orgs go for this level of nannying.
Not even seen by the creator, I think? They're always entered into a password box and asterisked out, no? The only person who would see this list is the person who wrote it, and anyone ferreting around in the script code...
And if they're blocking them as partial words (I haven't checked the code) then that's everything from 'niggardly' to 'extravagant' banned, then.
> Passwords should only be seen by the person who created them
Maybe if the requirement was reversed: so that only phrases that were deeply personally derogatory were allowed: e.g. "I'm a pheasant plucker" (or words to that effect), then at least it would stop individuals freely handing out their passwords to all and sundry.
"The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin."
What? Are you saying VM are installing software full of abusive terms on customers PCs in the clear?
So any VM customer who has their computer "examined" by the police "on suspicion of xxx" will always get charged with something, eg hate speech
About 10 years ago, as Blueyonder, one of their call center staff let slip that they could access our main password - i.e. the one we used for e-mail, their website etc.
I promptly complained to the management that this was extremely poor practice and received a reply agreeing with me and saying that they would modify their policies, whether they did or not, I don't know.
Since then I've not trusted them, and I've not used the email service for anything remotely important
VM does have a call centre password which the staff obviously have some access to; this is separate to the password you use to login to their website.
I got caught out by this on Demon. When I set the account up they asked for a memorable phrase. Several years later I called their helpline in India, and got asked for my memorable phrase. I'd assumed I'd only ever get to enter this on a web form, or be asked for a couple of randomised letters ("can you give me the first and fifth letters of your memorable phrase" kind of thing). So I gritted my teeth and told the helpline bloke that my phrase was "furry fish mitten". Thankfully he didn't ask what it meant.
I may be an innocent, but why is "finian" on the list? It might sound a bit like "fenian" but that isn't on the list.
Why is "pedofilia" listed but not "pedophilia" or ""paedophilia"? Are Virgin Media just wanting to block illiterate perverts?
Banning "cnut" is a bit rough on students of Norse history, but I can understand why they might have done so. Similarly "flange" for DIY fans. I understand (from Urban Dictionary) that it's occasionally used as a euphemism for lady's parts, but by that argument "ladysparts" (and a thousand other euphemisms) should also be on the list, and it isn't.
This list misses a whole bunch of swear words including one of the famous Seven Dirty Words.
Odd.
A more pressing concern than the odd list is that the w@nkers at VM actually have the time, desire and resources to censor user data that even their own employees shouldn't be able to see.
With several recent performance f*ck ups, and continuous upward price creep over recent years I'd rather they sacked the disciple of Mary Whitehouse who instigated this policy and put their effort into keeping prices down and services working.
TalkTalk allow you to set your telephone password on the website (you need to know the bank account number you pay the DD from and the telephone number they provide ADSL on). I wonder if the virgin case being discussed here is the same thing - clearly they have to be able to retireve the password in plain text if the call centre are going to ask you for it.
Handy on the occasion I had to use it, but clearly if you chuck your bank statements and telephone bills in the bin then anybody else could have this information too (not that I care, but those of a tin foil hat persuasion might).
I did wonder at the time whether I should make the password "IWantAMAC", or a ruder equivalent, prior to calling them for a MAC :-)
Chink is still used commonly to describe a small opening, a chink in the armour, etc - it's use is not purely for offensive purposes against the Chinese.
Can't say the same for the others.
Chink still has a legitimate use in language - the others do not (and lets be honest, never really have), other than to offend.
Steven R
Chink still has a legitimate use in language - the others do not (and lets be honest, never really have), other than to offend.
On the contrary - the term "wog" was originally intended as a compliment - it was a statement that the person in question had achieved the lofty state of "westernised", despite his oriental origins.
Now, of course, the attitude that "western" is somehow better is obviously crap in and of itself - but it was prevalent at the time. The term "wog" was simply an arrogant and self-important society saying that someone from without their ranks had become one of them.
The meaning did change over time, of course...
Vic.
> .. never really have), other than to offend.
The n word as an offensive worse came from America, I'm just old enough to remember the nursery rhyme that got Clarkson into some bother recently, and I can quite sympathise with it being programmed into your head at an early age. It was just a remnant of an earlier time, when (in England) it was just an ordinary word, people used to name their pets it, hardly something you would do if it were offensive.
Words change. (Listen to the flinstones theme song for proof.) I suspect in 50 years time people will find the banned words list very strange.
It was just a remnant of an earlier time, when (in England) it was just an ordinary word, people used to name their pets it, hardly something you would do if it were offensive.
Like Guy Gibson's dog, which will tactfully be renamed "Digger" in the remake of The Dam Busters!
:-D
http://en.wikipedia.org/wiki/The_Dam_Busters_%28film%29#Remake
I used to play a game called Earth and Beyond that had a rather daft filter. It would filter things regardless of white space. As a result the most innocuous of sentences in chat channels would get censored eg - 'It watched me' became 'I* ***ched me' resulting in minutes of fun while everyone in the channel discussed what the censored word might be. Even better it included foreign swear words so for a while I knew a few Dutch, French and German swear words.
Very educational :)
Hello = ****o
Indian = *******
Yes, that's right, a whole continent of people were forbidden to state their nationality, because the word might offend some Native Americans. Although, weirdly, the only Native American I've ever met referred to herself as (Sioux) Indian.
It was still possible to call people vvankers though, it just needed two Vs.
considers the word "admin" a profanity and changes it to %£!&.
In fact the blocking in LOTRO is so harsh you cant actually hold a normal conversation let alone a naughty one. Much as I like the concept of reducing the overhead of fleshy moderators it can get to a point where the service is useless and hazardous
In another case on the same game, someone had registered a character name that was clearly from the more experimental people in the bedroom department, but it could not be reported as the service to report the problem would not allow the inclusion of the character name involved. Using two different word lists makes the problem even worse, and indeed unreportable!
Hey, that's not fair. What did Belgium ever do to offend the world?
Well, apart from that minor unpleasantness involving their King Leopold II, the enslavement of the natives of the Congro Free State in the late 19th century for reasons of pure greed and the horrendous atrocities committed against countless numbers of them (e.g. hands being cut off if they failed to meet punishingly difficult quotas)... and including anything between two and fifteen million deaths.
http://en.wikipedia.org/wiki/Congo_Free_State
The only way the "wa, wa, wa... it was the *king* himself, not the state/people" apologists would have had any moral legitimacy would have been if the Belgian people- seeing what had been done in their name- had strung the King up and abolished the monarchy. Oddly enough, they don't seem to have done that- the descendants of this mass-murderer are still venerated by the Belgian people, and they don't like being reminded what their ancestors did.
They've still got a monument celebrating him, for ****'s sake:- http://commons.wikimedia.org/wiki/File:Monument_%C3%A0_L%C3%A9opold_II.jpg
While working for a large and well-known telecomms company there was a company-wide block on any 'swearwords' used for passwords.
This missive can only have come from clueless management as some of my passwords changed to ones that were not blocked:
B01lck5
Phuque0rf
were a couple of favourites used in response to the emails.
This programmer isn't very good. Since it's doing substring matching there's no need to include both "poof" and "poofter", "shit" and "shite" etc. (Incidentally there are several three-letter strings there which will also match all sorts of innocuous stuff)
As for *why* they're doing this, clearly VM are storing the plaintext password in their systems. The callcentres will have visibility of this and may either (a) ask the customer to confirm their password on the phone, or (b) they will tell the customer what their password is if they've forgotten it.
This is of course pants, but I know other ISPs which do this.
They *should* be storing a salted hash, and if the customer has forgotten their password, the callcentre operator should only be able to reset it to a new one.
Aside: ADSL authentication on the BT wholesale network uses CHAP and this requires the plaintext password to be stored in the authentication server. But (a) VM aren't doing ADSL as far as I know, and (b) in any case they don't need to make the passwords visible to callcentre agents, which in turn means no need for the filter.
BT Internet seems to store plaintext passwords, too, to judge from a conversation I recently had with a support drone.
@AC Thanks for that inciteful advice *facepalm*
Do you mean "insightful"? Or perhaps "incisive"? You can't have both at once. Perhaps if you took your palm away from your face you could see what you're typing.
"Since it's doing substring matching there's no need to include both "poof" and "poofter", "shit" and "shite" etc. (Incidentally there are several three-letter strings there which will also match all sorts of innocuous stuff)"
Actually, El Reg's report has that a little wrong. In the article, they've said:
"And while we're forced to agree that “bollocks” is far too weak a word to use as a password, the code is clear that you can't even use bollocks within a password: if (password.match(/\s+/g,'')) then you'll get marked down."
Well, that quoted line:
if (password.match(/\s+/g,''))
Is actually checking for whitespace.
The list of naughty words is done next, by first putting them in an array (badpassarray) and then turning that array into a single string, with each word separated by a vertical bar:
var re = new RegExp(badPassArray.join("|"), "i");
It's then using this:
return(pwd.match(re) != null);
To return true if the password is contained in the list, false if it isn't.
(So it is checking for substrings, but in exactly the opposite way that the report says. AFAICS. So 'scunthorpe' is a perfectly acceptable password to that bunch of silly scunthorpes at Virgin Media.)
Am I the only person who thinks The Sun's reputation for supposedly witty headlines (even among those who aren't fans otherwise) is massively overrated?
Yeah, some of the "classics" that get regularly cited have been moderately clever or amusing, but when funny headlines is your day-in, day-out stock-in-trade, any half-competent writer is going to come up with a few half-decent ones over 20 or 30 years, if only because of sheer numbers.
The only reason for banning anything from passwords should be based on technical capabilities of storing them. They should be stored as hashes from which you can't derive the original text, comparisons only ever being of the hash.
If you are ever worried about what the contents might be, then you are saying that the password list can be decrypted, which is very bad.
Virgin Media have subsequently removed the list of "unacceptable" words from the javascript file.
They are still enforced by the server however. As I mentioned yesterday, password security almost pales into insignificance compared to this...
http://ramblingrant.co.uk/virgin-media-youre-only-as-secure-as-your-weakest-link
Only official response (so far) has been "we're not willing to discuss our encryption"
They've updated the original to remove most of the words, but the archive.org still has the original:
https://web.archive.org/web/20140812173352/https://my.virginmedia.com/assets/legacy/js/password_strength_plugin.min.js
btw I think the author is wrong in saying that passwords containing bollocks will be disallowed, he's looking at the line above, the line below says "pwd.match(re)".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
