back to article Reg reader rages over Virgin Media's email password policy

A Register reader has raised concerns over UK ISP Virgin Media's password policies after discovering he couldn't set a password longer than 10 characters or one that includes non-alphanumeric characters. Our reader Nick told us he was facing repeated attempts to take control of an @virgin.net email account he owns – adding …

  1. SsiethAnabuki

    Virgin, bringing you the barely-adequate security from 2002

    It really is laughable that they consider this to be sufficient to secure _any_ system available online, let alone customer email accounts. I dread to think what infrastructure they have behind this that requires it be alphanumeric and can't have the field resized beyond 10 characters....

    1. Doctor Syntax Silver badge

      Re: Virgin, bringing you the barely-adequate security from 2002

      It makes you wonder what their internal security might be like as well.

    2. Anonymous Coward
      Anonymous Coward

      Re: Virgin, bringing you the barely-adequate security from 2002

      That's easy.

      * storing the passwords in 10 char field in the DB... in plaintext

      * SQL looks something like "INSERT into users(user,password) values(${user},${password})" and don't want Bobby Tables breaking it

      1. mobailey

        Re: Virgin, bringing you the barely-adequate security from 2002

        You're assuming that they're using a parametised query?

        -mobailey

      2. big_D Silver badge

        Re: Virgin, bringing you the barely-adequate security from 2002

        But a hashed password is even easier, it is a fixed length and has no characters that need to be escaped...

    3. Anonymous Coward
      Anonymous Coward

      Re: Virgin, bringing you the barely-adequate security from 2002

      You realise that that is 62 ^ 10 combinations?

      That's 26,614,008,303 a second for a whole year.

      1. Robert Jenkins

        Re: Virgin, bringing you the barely-adequate security from 2002

        Exactly!

        Ten uppercase/lowercase/digits, using random characters, is *extremely* secure!

        I can only guess few people actually bother to work out the number of combinations that gives.

        There is no way such a password can be repeatedly cracked in a day or so.

        The victim must have something like a keylogger or RAT on their machine that's allowing the cracker to read the password they are entering, for them to get is so quickly.

        "26,614,008,303 a second for a whole year" - correct, and totally impossible.

        It takes time to try a password, even with an automated system, anything from (I'd estimate) ten milliseconds upwards for the entry, test and response using a remote internet connection.

        That means a likely maximum of under ten million attempts per day - and in excess of a hundred million years for the average search time to match a random password.

        And does Virgin not even have a lockout period after a number of fails? That slows cracking attempts by orders of magnitude.

        1. Lord Elpuss Silver badge

          Re: Virgin, bringing you the barely-adequate security from 2002

          Assuming local decryption (so no network latency), security.org estimate that a random 10-digit alphanumeric password would take around 7 months to crack. So I would tend to agree that if it's being cracked in a day there's something else going on.

          1. Ian 7

            Re: Virgin, bringing you the barely-adequate security from 2002

            According to https://d1rytvr7gmk1sx.cloudfront.net/wp-content/uploads/2022/03/Hive-Systems-Password-Table-1-770x346.jpg?x54432 you're looking at 3 days with modern 2022 hardware with local decryption. Given how rubbish Virgin's consumer email passwords are, what's the betting that someone's got access to the database and is cracking the hashes directly?

            1. Lord Elpuss Silver badge

              Re: Virgin, bringing you the barely-adequate security from 2002

              ” According to https://d1rytvr7gmk1sx.cloudfront.net/wp-content/uploads/2022/03/Hive-Systems-Password-Table-1-770x346.jpg?x54432 you're looking at 3 days with modern 2022 hardware with local decryption.“

              1) I think I trust security.org over a random JPEG

              2) Even assuming the table is correct, it says 3 weeks for a 10-digit alphanumeric pw, not 3 days.

        2. gotes

          Re: Virgin, bringing you the barely-adequate security from 2002

          It would be nice if "Nick" could clear things up here. Though maybe he's offline due to being pwned.

      2. Chris 3

        Re: Virgin, bringing you the barely-adequate security from 2002

        No - because I seem to recall your password cannot start with a number, seriously.

    4. big_D Silver badge

      Re: Virgin, bringing you the barely-adequate security from 2002

      I've actually refused to sign-up on sites that don't offer secure passwords - I use a minimum of 25 characters, with special characters, numbers etc. And I always set 2FA, where possible. And, again, I've started deleting accounts that don't offer 2FA, if those accounts are important.

      Heck, even my Windows password, that I type in dozens of times each day is well over 10 digits and includes special characters...

    5. Anonymous Coward
      Anonymous Coward

      Re: Virgin, bringing you the barely-adequate security from 2002

      What I don't understand is that if you are storing some variant of a password hash why have such a low limit anyhow, doesn't the hash define storage space?

  2. Doctor Syntax Silver badge

    Simple solution. Don't use an ISP-provided email service. If you do you're not only lumbered with crap like this if the ISP doesn't care, it also makes it harder to ditch your ISP.

    1. Anonymous Coward
      Anonymous Coward

      Does this policy also apply to the custoemr account area? If so this is piss poor.

      1. Hugo Rune
        Facepalm

        Yes it is the same e-mail & password combination.

      2. William Towle
        Flame

        > Does this policy also apply to the custoemr account area? If so this is piss poor.

        Nod, I had a second user account for my place set up for me recently so that I could (I hoped) get at the service status page and associated controls while WFH during the pandemic without needing to call the helpline or to have the bill payer's master password. I had thought the initial password had been a lazily-made choice until I tried to set my own and realised the rules were awful.

        I was also hoping better warnings of planned outages might become available (earlier grumbling applies) but no such luck!

        1. yetanotheraoc Silver badge

          Easier

          You should have just brute forced the bill payer's password.

      3. logicalextreme Silver badge

        Yup. I've never been able to get into my account. Coming up on eight years now. Cable's fast and the connection's solid as a rock, so I've rarely needed to, but goddamn. Website's broken, contact forms don't work, email addresses bounce back. Occasionally I phone them up to tell them to put the price down and just leave it at that. I assume there's no way for me to cancel the account and I'm stuck with it till the end.

    2. itzumee

      I ditched my Plusnet ISP email about 4 months ago for FastMail, after issues with their IMAP servers meant that email was slow to arrive and/or connections would be randomly terminated when retrieving email. The difference in performance now is like night vs day.

      1. mdubash

        Another Fastmail user here - over 10 years now and no glitches, security issues - or indeed anything upsetting.

    3. Hubert Cumberdale Silver badge

      I use Tutanota. You can get it free, but I actually feel like it's worth paying for (I use my own domains). Minimal bells/whistles, but zero advertising and the possibility of e2e encryption.

      1. Spamfast
        Stop

        the possibility of e2e encryption

        All messaging systems support E2E encryption, even the postal service. The provider is irrelevant. That's the whole point of E2E.

        1. Hubert Cumberdale Silver badge
          Coat

          I see your pedantry and I refer you to the fact that you know exactly what I mean.

    4. Anonymous Coward
      Anonymous Coward

      Completely agree however there are some people that have had them for years and switching email accounts is no easy task for the normal user. I use a PC with everything bookmarked and saved so it would relatively easy for me but can you imagine trying to do it on phone?

      1. Doctor Syntax Silver badge

        I agree but you only have to do it once and the longer you leave it the bigger the job gets.

        However, there's no problem in running an ISP and non-ISP address side-by-side so get your independent address first and then take as long as you need to register your change of address with whoever needs you want to know your new address.

        For extra advantage register your own domain which allows you to switch the MSP if need be. Since ditching my ISP (Nildram which was fine until a series of take-overs left it in Dido-land) I've switched not only ISP twice more but also switched domain registrar/MSP (ending up with Mythic Beasts and see no reason to swap again).

        1. SImon Hobson

          left it in Dido-land

          I had to read that twice, the first time I'm sure it had an extra "l" in it - which would have made it appropriate given how they have shafted (and probably still are) their customers.

    5. Tessier-Ashpool

      I use iCloud email in conjunction with its custom email DNS feature, meaning I can easily direct emails for someone@somedomain.com to iCloud mail. I already pay £2.49 a month for iCloud storage, so the emails and custom email DNS come at no extra charge. That's nothing, really, considering the whole family can share this feature, and a domain can be registered for around $15 per year.

      https://9to5mac.com/2021/09/07/how-to-set-up-an-icloud-mail-custom-email-domain-video/

    6. Gordon 10 Silver badge

      Smug mode off

      Downvoting because Virgin mandates that you use a Virgin mail address for logon to their billing screens.

      There wasn't an alternative last time I checked. You can get a copy bill sent to any address you like but the actual logon requires the Virgin address.

      1. Doctor Syntax Silver badge

        Re: Smug mode off

        What part of an ISP provided email address making it harder to ditch your ISP did you not understand?

        1. Anonymous Coward
          Anonymous Coward

          Re: Smug mode off

          Which part of his reply didn't you understand?

          1. Doctor Syntax Silver badge

            Re: Smug mode off

            Staying with an ISP that provides sub-standard service.

      2. WhyOfFry

        Re: Smug mode off

        My logon for Virgin's customer area has never been a Virgin email address. Can't remember exactly when I moved to e-billing (must be 5+ years ago) but I've definitely never been forced to use a Virgin email as a username. Can't comment on Virgin email issues as I've never used it - no idea if I even have one.

        Agree though that their password policy is cr4p. Seem to remember having trouble setting a valid password and only finding the 10 char limit after searching around. Also fairly sure I sent them some 'constructive feedback' at the time.

      3. MarkTriumphant

        Re: Smug mode off

        This confuses me - I have just logged on with my non-Virgin email address. What am I not understanding? As an extra, I have never used my Virgin email address, as I rent my own domain.

    7. Arthur the cat Silver badge

      Simple solution. Don't use an ISP-provided email service.

      This, every time. I've had various non-technical friends fail to understand this, and then complain when they change ISPs that the old ISP won't let them access "their" email without paying for what was free. As I point out, unless you own the domain ("the bit after the @" for non-techies) it's not your email address, it's someone else's email address that they're letting you use for now with no guarantees for the future.

      1. Trigun Silver badge

        I thought there was something in place to allow you to access the email despite having moved away?

        I might be misremembering, though.

        1. Anonymous Coward
          Anonymous Coward

          ...

          Having a proper email client that downloads the emails to a local store, probably. You can't do that with these modern webmail interfaces.

          With my setup I use a proper client at home (giving me a copy of the emails), and use the webmail client if I - say - have to check my emails at work.

          1. Adelio

            Re: ...

            That is why I have always used outlook (for office) e-mails are stored locally and are backed up daily

        2. Rol

          You are correct. In the UK, ISP's have to allow ex-customers access to their ISP email address for...oooh, I think a month or maybe 2 months, after ending the contract. Sorry, can't remember.

          Some will happily keep the email trundling along indefinitely, provided you access it every now and again.

          I ditched Virgin about 8 months ago, due to excessive wallet gouging and my email address with them is still merrily bumbling along. If only they hadn't marked me down as their personal cash cow, I'd still be with them.

          I now have exactly the same level of service with my new provider, at a third of the price that Virgin wanted, with assurances that it will increase by only £2 a month once the introductory offer has finished.

          Whoopeeee! no more brinkmanship dealings with retention staff every year.

    8. GruntyMcPugh Silver badge

      Exactly this, I've been a Virgin Media customer on and off for over 20 years (and I worked for them for a while too), but I've never used their email service (I mentioned I used to work for them, maybe that's a clue as to why,....) but why would you want to be tied down to your ISP, to keep your email address? With a Mobile, we can port our number if we change supplier, but email, change and you're boned. So I have a selection of Yahoo and Hotmail addresses for various tasks.

    9. Man inna barrel

      I am suffering this ISP email tie in at present. It is right pain in the arse to change all my email contact details. All I wanted to do was get a cheaper deal on basic internet provision, but the email factor has made this difficult. I am trying to migrate everything to Gmail, which is sort of working, but I still have infrequent contacts on the old address. I am not saying the Gmail is the best email provider, but at least I am not tied to my ISP because of email provision.

      My former boss came across this email tie in problem with his business ISP account, and transferring contact details was a major pain. Hundreds of customers and suppliers. All I have to deal with is stuff like online news, utility suppliers, various hospital contacts, and so on. I have a text file listing the transfers. It is slow progress. However, there is progress, with much bureaucratic faff, most of it inflicted by ignorant algorithms. Bureaucratic faff is never pleasant, but automating it peculiarly cruel.

    10. Not Entered

      I'm with Virgin Media, and they allow me to send emails as if they came from my registered domain name. I don't think gmail/outlook/hotmail would allow me to spoof my domain name as a "From:" email address.

      Yes, the 10 character password thing is seriously stupid.

  3. devin3782 Silver badge

    You know when you see a policy like that they're storing passwords as plain text. Microsoft are also guilty of password upper limits so are several banks along with specific character subsets.

    If you storing passwords: (One way uniquely salted hashes using a slow strong hashing algorithm and compare in constant time) then the only characters that matter are null chars as they cause some hashing algorithms to exit so remove those otherwise don't restrict.

    Also every bone in the manager's crotch (that's what I'll break) for deciding to prevent pasting passwords into form fields.

    1. Red Ted
      FAIL

      "...deciding to prevent pasting passwords into form fields."

      A frustrating variation on this I came across recently was the site that would allow pasting in to the login form, but not in to the password change form!

    2. Flocke Kroes Silver badge

      Re-enabling paste

      This is how to re-enable paste in Firefox. For other browsers, ask duckduckgo.

      1. devin3782 Silver badge

        Re: Re-enabling paste

        Nice!

        If I may there's still nothing stopping a developer attaching a key press event and testing for ctrl + v and then blanking the box.

      2. Doctor Syntax Silver badge

        Re: Re-enabling paste

        That's odd. They give PayPal as an example and I can't remember ever having a problem pasting there.

      3. RegGuy1 Silver badge
        Happy

        Re: Re-enabling paste

        Wonderful! Thanks. I love Firefox. :-)

  4. 42656e4d203239 Bronze badge

    Rainbow tables anyone?

    Anyone responsible for setting password policy should be aware that rainbow tables for up to 14 characters are easily available which reduces the pasword crack time for passwords shorter than 14 characters to trivial lengths of time. All the bad guy has to do is get your password hash and boom, he has your password (providing its a password of < 14 characters) - ok it may take a while to find in the table but its much quicker than trying all the possible combinartions against the login.

    I expect that in this case the Virgin login page trivially hashes the password and passes it over to the server for storage, so the bad guy in question just has to scan his rainbow table (hence crack times less than a day) and login. Virgin's security mechanisms aren't triggered and our mark gets hacked once more.

    Long passwords are best boys and girls - obligatory XKCD

    1. Tessier-Ashpool

      Re: Rainbow tables anyone?

      A proper password hash will have been computed in conjunction with a salt. So a rainbow table in this case won't be much use unless the hacker has the salt as well as the hash. If that happens, your password provider has been seriously compromised!

    2. Doctor Syntax Silver badge

      Re: Rainbow tables anyone?

      The cracker has to get the hash to do this. That might be the case if the site leaks but in that case you'd have to change it anyway. The bigger risk in that case would be if you've used the same password elsewhere so remember - don't do that.

    3. Ian Johnston Silver badge

      Re: Rainbow tables anyone?

      All the bad guy has to do is get your password hash

      And how does s/he do this?

      1. Tessier-Ashpool

        Re: Rainbow tables anyone?

        @Ian Johnston

        Most notably by SQL infection on a crappily-written website.

        1. Ian Johnston Silver badge

          Re: Rainbow tables anyone?

          Doesn't that mean they already have the access they need? Sounds bit like breaking into someone's house to steal the front door key.

          1. NoKangaroosInAustria

            Re: Rainbow tables anyone?

            Because knowing the password hash alone isn't useful to the hacker - they still need your actual password to login - hence the other posters comments regarding rainbow tables - which are precomputed tables of corresponding hashes for all possible passwords up to a certain length. I hope I am not woefully misunderstanding your question.

          2. Tessier-Ashpool

            Re: Rainbow tables anyone?

            No, it doesn't mean that. It's more like peering through an unfrosted window to see a door's key code written on the wall.

            For a long long time, huge numbers of websites accepted a user's login on a form that is used to compute a crappy SQL command. e.g.

            "SELECT TOP 1 * FROM [Users] WHERE [User] = ' " + $User + " ' AND password=' " + $Password + " ' "

            which, if jbloggs 1234 is entered, maps to a string

            SELECT TOP 1 * FROM [Users] WHERE [User] = 'jbloggs' AND password = '1234'

            But what happens if someone, instead of typing jbloggs, types ' OR 1=1 ;

            A crap website will, from this, construct a SQL command:

            SELECT TOP 1 * FROM [Users] WHERE [User] = '' OR 1=1; AND password = '1234'

            which will successfully find the first user in its [USERS] table, regardless.

            Oops.

            Decent websites won't do things this way, and certainly those that engage in penetration testing. But I daresay there are still quite a few around that are exposed to SQL injection of this kind.

  5. Steve Davies 3 Silver badge
    Pirate

    Time to give VM the finger

    and move your email to a provider that takes security at least half serious rather than none at all as VM clearly don't care.

    Yes, it can be difficult but it is possible if you take your time.

    However, if you are fighting a determined hacker then you have to go for broke.

    VM need to be hauled up before the ICO not that they can do anything but any publicity that shames them can't be bad.

  6. chivo243 Silver badge
    Windows

    Move on already

    Cut your losses, and move to another email provider from this century! Don Q something...? It's only email...

  7. Stuart Castle Silver badge

    Way back in the dark ages, when I first got Cable (and broadband), I set up a Cable and Wireless email address. I never really used it beyond as a login for some websites. Then, a couple of years after NTL took over, I got an email stating that they were migrating the old Cable and Wireless emails over to their system, and, for some reason they never explained, mine would not be migrated.

    From what I have read on here (and on several Cable Users forums, one of which I used to moderate), I've not missed much by not having a Virginmedia email address.

    It never really bothered me that I lost that email address, but I'm now glad I did.

    1. mobailey
      FAIL

      re: "they were migrating the old Cable and Wireless emails over to their system, and, for some reason they never explained, mine would not be migrated."

      Probably because you had a password that was 11 characters long.

      -mobailey

  8. Mike 137 Silver badge

    The same old arbitrary 'rules' to what purpose?

    '"We do advise to use a password between 6-10 characters long, including at least 1 number, 1 capital letter, 1 lower case letter and ensuring that it isn't your surname or first name."'

    Depending on the attack type, such rules may or may not be completely irrelevant. They do apply to blind brute forcing. but (apart from the bleeding obvious 'don't use your name') they demonstrate complete failure to understand it. In reality the code space increases very much faster for string length than for symbol set size, so longer is more resistant than 'more complex' (and is also more memorable for the legitimate user - a frequently forgotten but rather important consideration). However the greatest protection against blind brute forcing is limitation of retries, but I practically never see this implemented.

    There are actually multiple alternative attack types against which such rules have little or no protective effect. Often the responsibility devolves on the system provider rather than the user - for example against password database exfiltration for offline cracking (the basis for almost all documented password quality analyses).

    1. devin3782 Silver badge

      Re: The same old arbitrary 'rules' to what purpose?

      Password policies do one thing and one thing only: help hackers generate the rainbow tables more easily, well done in handing out they keys to the kingdom. The thing seldom spoken about is common password topologies https://korelogic.com/Resources/Presentations/bsidesavl_pathwell_2014-06.pdf note this is from 2014!

      The best password is the one you don't remember

      https://xkcd.com/538/

      1. Mishak Silver badge

        The best password is the one you don't remember

        I've used 63 random symbol WiFi passwords in the past - ok until you need to enter it manually on some device...

        1. Jonathan Richards 1 Silver badge

          Re: The best password is the one you don't remember

          ... or your mother comes to stay, and wants to hook her phone up to your WiFi. "No, mother, not D=*4AI@X^r$)d2R><-wSTO}v0QoksFV\3NtMZ8qxPJ_B;6|.n~b/1U9G!#%jfKag, it's D=*4AI@X^r$)d2R><-wSTO}v0QoksFV\3NtMZ8qxPJ_B;7|.n~b/1U9G!#%jfKag"

          1. yetanotheraoc Silver badge

            Re: The best password is the one you don't remember

            Hah! I changed my mother's wifi password so she can't even connect to her own without my help.

            1. yetanotheraoc Silver badge

              Re: The best password is the one you don't remember

              Just noticed all the downvotes! To be clear, my mother has the new password written down in her password book. She just can't successfully enter the long random string without making a typo.

          2. John70

            Re: The best password is the one you don't remember

            Are you sure it's a 7 and not 8?

          3. herman Silver badge
            Devil

            Re: The best password is the one you don't remember

            I just connected to your system with “D=*4AI@X^r$)d2R><-wSTO}v0QoksFV\3NtMZ8qxPJ_B;Z|.n~b/1U9G!#%jfKag”

  9. tony72

    Something's not right here

    Brute-forcing a ten character random mixed-case alphanumeric password is a non-trivial task, taking months or years, according to the references I just looked at. But even if the hacker can do it considerably faster than that, as some other posters are suggesting, he has to have the hash first. So in order to have a "running battle" with a hacker cracking subsequently changed passwords within a day, the hacker has to have ongoing access to the hashes, which means the problem would have to be a lot bigger than a poor password policy. Now that could be what's happening; a hacker could have managed to access Virgin Media's servers, have ongoing access to password hashes, and be going to the not inconsiderable trouble of cracking and re-cracking this particular guys password, for not-immediately-obvious gain. But does it not seem more plausible that this guy has gotten his machine infected with a RAT or keylogger or whatever, and the hacker is simply seeing every password change?

    1. Seajay#

      Re: Something's not right here

      I think you must be right. 10 character password of upper case, lower case and digits is (26x2+10)^10 = 8E17 possibilities.

      There are 86400 seconds in a day so if he is brute forcing it, the attacker must be testing ~ 8E7 / 86400 = 9 trillion passwords per second.

      Vaguely plausible (though expensive) using 100s of AWS instances against a weak hash. But completely infeasible over the internet.

      1. Annihilator

        Re: Something's not right here

        It's slightly more than that, as that excludes passwords that might be shorter than 10 characters which the attacker also has to check. But yeah, I had the same thought. Brute forcing a 10 alphanumeric character is definitely a non-trivial task.

        Interestingly (depending on your view point...), adding 20 additional special characters only gives you around 16x as many possible passwords (82^10 divided by 62^10). Adding an additional alphanumeric character to the length of the password (taking it to 11) gives you 62x as many passwords (62^11 divided by 62^10).

        Length is way more useful than special chars. In this use case, size definitely matters.

        Confusingly, (and somewhat ironically) password rules can actually *weaken* the password set. If you insist on "at least one upper, lower, number and special character", you've removed some password possibilities that the brute force attack doesn't need to try anymore. But equally you've stopped a lot of dictionary attacks, so it probably balances out...

        1. TRT Silver badge

          Re: Something's not right here

          There's something to be said for scary-looking strength meters on password entry fields.

        2. Eclectic Man Silver badge
          Headmaster

          Re: Something's not right here

          Minor point but it states that the password must start with an alphabetic character, which makes a minor reduction in the number of possible passwords. (Although why this is required is beyond me.)

          1. Peter 26

            Re: Something's not right here

            I avoid starting numerics for alphanumeric codes when Excel is involved as it sometimes deletes trailing zero's if the column format is set to General. I really hope Excel isn't involved in their process anywhere.

            1. Cav Bronze badge

              Re: Something's not right here

              Or even leading zeroes...

      2. Helcat

        Re: Something's not right here

        There's a guide to password strength that suggests 10 characters, alphanumeric only, will take 7 months to brute force at most.

        12 character including alphanumeric and special, is 34,000 years.

        Pass Phrases are best as they are easier to remember and, more importantly, LONG. Remembering the pass phrase (or three + random words, miss-spelt and added substitutions as I've been recommending to friends) being important as you're not tempted to Write the damn thing down or use a password locker - which is about as secure as writing the damn thing down in a note book (Seems secure until someone finds it, at which point they have it and you might not).

        That this case seems to be a 10 character limit and cracked the same day: That suggests there's something else happening, such as man-in-the-middle, or a compromised machine, or they've got access to a password store. Then they can just get the password from there instead. Or they're using a shorter list of known passwords, or there's a pattern to the password making 'guessing' it that much easier.

        Indeed, most hackers won't bother with true brute force: Those can be easily detected (remember that old 'get it wrong x times and you have to wait an hour. Or two?). Rather, they'd like you to believe they are brute forcing, while they sit there and get your new password from your machine, or password store.

        This, of course, is why 2fa or MFA is so important these days.

        1. Anonymous Coward
          Anonymous Coward

          Re: Something's not right here

          I agree words are a better option but no password manager? You're instantly back to Joe Public using the same 3 word phrase over multple sites. I have around 125 personal site logins, all with distinct min 12+ char passwords, around 10%-15% have 2FA where it's offered. The 2FA is offered by my password locker and the passwords ALL of them, have reminders to be auto-updated every 3 months max. Every day I get a list of "due to expire", I then assess if need the site anymore, request deletion on site if not else get the locker to auto-update the password in a few clicks. Rotating passwords is just one of those 10 min daily tasks in the morning.

          Password management is a daily chore that must be done just like the washing clothes, or doing the dishes, etc, if you don't want some wanker from some backwater shithole emptying your bank account in 5 secs flat!

          People need to stop making excuses and get used daily/weekly password maint being a chore just like all your other household chores. If not then get off the fricking internet before you lose everything. If it helps people, imagine every hacker has Putin's face laughing, 'cos the bad guys on the internet really couldn't care less about anyone but themselves.

          1. werdsmith Silver badge

            Re: Something's not right here

            People need to stop making excuses and get used daily/weekly password maint being a chore just like all your other household chores.

            Never going to happen, people will just not stand for that. What is really needed is a better internet security process. The password method is just not designed for dozens and dozens of different logins.

            1. Adelio

              Re: Something's not right here

              What i find unacceptable is that many password managers store your passwords on their systems. This allows you to use multiple systems with a single password manager but then increases the risk of compromise because the passwords are NOT in your control, you have no idea who can access the password data remotely and you have to blindly accept their assurances about how secure they are storing (and transmitting) the password data..

              For me a password manager should ONLY store passwords locally and encrypted.

              1. anothercynic Silver badge

                Re: Something's not right here

                1Password does the local password vault... As does KeePass. The former also does synchronisation via Dropbox or iCloud using an account *you* control. I sleep better at night knowing that my passwords are safe on the local device.

          2. Jamie Jones Silver badge

            Re: Something's not right here

            People need to stop making excuses and get used daily/weekly password maint being a chore just like all your other household chores

            That's all very well, but you ain't seen the state of my flat!

        2. Mike 137 Silver badge

          Re: Something's not right here

          "There's a guide to password strength that suggests 10 characters, alphanumeric only, will take 7 months to brute force at most. 12 character including alphanumeric and special, is 34,000 years."

          The requisite equation for code space is character set size to the power of password length. Thus 10 characters, alphanumeric lower case only is approx 3.656e15. Statistically half that number of attempts is needed for a blind brute force attack, so that's roughly 1.8e15 attempts. For 12 characters and a 96 symbol space, it's just over 3e27 attempts. But the attacker will also have to test for all the shorter alternatives and smaller character sets as well, so the average total required attempt count is the sum of all the mathematical code spaces divided by two.

          The required time would depend on the speed of your machine, but nobody does blind brute forcing these days. If they do brute force at all (and there are other more efficient ways) they start from the widely publicised obvious password sets, which typically makes it much faster. However, longer passwords are significantly less prevalent in the public sets, so quite apart from the mathematical advantage of greater length they're disproportionally more resistant to discovery.

    2. devin3782 Silver badge

      Re: Something's not right here

      Yes but considering people remember/reuse their passwords and the sheer number of password leaks reducing that is easy.

      You're also assuming its hashed. Considering the password rules I suspect its stored in a db table unencrypted so certain characters don't cause an SQL injection, if it was hashed first it wouldn't matter as the resultant string would only contain characters valid for hexadecimal.

      Brute for hash cracking assuming they have the DB is possible with a few GPU's unless the algorithm used is expensive to run on a GPU like say an Argon2D algorithm.

    3. TeeCee Gold badge

      Re: Something's not right here

      Also worth considering here is that if someone out there did indeed have some "secret sauce" brute forcing method, that's not the whole story.

      How many incorrect attempts are allowed before the account gets locked, captcha'd or at least naughty stepped for a period?

      If anything like that is in place, brute forcing timescales start making geological change look rapid.

  10. Nodrog

    Another issue with VM's password policies is...

    that when you phone VM customer service you have to enter three specified characters from your password on the phone keyboard and repeat that "security check" when you speak to a representative, the problem being that these characters have to be from the password you set when you first opened an account with them regardless of how many times you have changed the password since then.

    You can call them from any phone so if someone knows you're original password they can change/cancel your account or services without further checks.

    1. Aristotles slow and dimwitted horse

      Re: Another issue with VM's password policies is...

      I am with VM for broadband, and whilst I have no real love for their CS approach and team, in my experience they do also require additional methods of validating your identity when requesting changes to your products or services. I have phoned up several times in the past and they have asked for further combinations of other information such as last 3 or 4 digits of bank account or phone number, select digits from the account number, last bill date or value etc. amongst others.

      1. Nodrog

        Re: Another issue with VM's password policies is...

        I take it you must have been calling from a non-VM line in which case it's good to know they do ask for further verification in that case. I do now recall that several years ago when the characters I gave weren't a match - I only realised later they were checking against the original one - I was asked for the last bill date and amount.

        I called them last month (to haggle the proposed price increase of 3% down to a 30% discount) and was asked to confirm that the phone I was using was the one associated with the account and then the only other check was the three password characters.

    2. 0x80004005

      Re: Another issue with VM's password policies is...

      You've nailed it, that will be why.

      Probably too complex for ordinary users to have a separate "email password" and "phone password".

      What happens if someone tries to brute-force your account through the phone keypad method? 3 digits x (choice of 0,1,2,3,4,5,6,7,8,9) = 1000 tries. Those odds don't seem too bad?

    3. Doctor Syntax Silver badge

      Re: Another issue with VM's password policies is...

      "these characters have to be from the password you set when you first opened an account"

      This looks as if it might the source of Nick's problem: his adversary has that password. Did Nick take over an existing installation? It might be that the previous customer is continuing to use the Virgin email address and is using the access the original password gives him to counter Nick's attempts to change the current password.

    4. Ben 47

      Re: Another issue with VM's password policies is...

      The security check password is separate to your online account and email password and is only used during contact verification.

      You are able to change it whenever you want.

  11. Anonymous Coward
    Anonymous Coward

    a hacker who is able to crack a 10-character password used for Virgin or Virginmedia email in less than a day,

    Virgin being penetrated so easily...oh, the irony

    1. Anonymous Coward
      Anonymous Coward

      I wonder if they are going in through the backdoor.

      1. Trigun Silver badge

        "There's alway time for lube!"

        1. Kane Silver badge
          Thumb Up

          "There's alway time for lube!"

          I understood that reference!

  12. Anonymous Coward
    Anonymous Coward

    Problem is there is no standard for pwds, each site has its own rules in terms of minimum length, none alpha-numeric, forced inclusion of upper case and numeric characters and its a bugger to remember which site has which rules. In some cases the pwd rules are not explicitly given and you only find out after your sign-up is rejected.

    2FA should be enforced everywhere but in nicer ways than the usually trip to the default 2FA (forgotten password link) due to a particular sites decision on what your pwd should contain.

    1. Helcat
      Devil

      There's government guidance/recommendation for password security. The problem is this is UK government (in this instance), not an international guidance as a company outside the UK won't care what the UK recommend.

      Here's a link to it (or, if you'd rather be safe, google UK Cyber Security Password Advice)...

      https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

      1. Arthur the cat Silver badge

        The problem is this is UK government (in this instance), not an international guidance as a company outside the UK won't care what the UK recommend.

        I thought the UK's NCSC recommendations were pretty much aligned with the US's NIST ones?

  13. Mishak Silver badge

    Browser password generators

    The password generator built into Safari often fails on websites with these crazy policy.

    I was on one the other day that agreed that the one that was automatically created was "very strong", but it wouldn't allow it because it was "too long".

    1. TRT Silver badge

      Re: Browser password generators

      As I've indicated before, you can set field validity in HTML5 using a regex expression. This should or could be used to clue OS & other password generators in to the restrictions, but that should really come with a strength meter.

  14. JimmyPage
    Flame

    Once again, why is there no BS/ISO/RFC/IEEE standard for passwords ?

    Because the lack thereof encourages everyone+dog to roll their own - invariably compromised - implementations.

    Even storing passwords as hashes isn't mandated. I still see password resets that are sent in plaintext.

  15. Pascal Monett Silver badge
    Coat

    "we continually invest in our security systems to keep our customers safe online"

    We are currently spending all of our Y2K budget on this question.

  16. Santa from Exeter
    Mushroom

    It's worse than that Jim

    Unless they have changed their internal policies (I very much doubt it) The password is available in plain text to Hell Desk staff.

  17. MiguelC Silver badge
    Facepalm

    "is of utmost importance to us" is newspeak for "we don't give a shit"

    1. Plest Silver badge
      Facepalm

      Or politely..."Thanks for letting us know, we're aware but the CEO has decided he needed a bigger yacht this year to entertain nasty dicatators and Hollywood C-listers, so that IT project to improve security got shelved for next 3 years!"

  18. CJatCTi
    Facepalm

    So leave

    Virgin don't want to be a email provider, you don't like their password policy - so leave.

    If you are a person customer then Gmail or Outlook.com are for you, if a bussiness then get a domain

    1. Insert sadsack pun here

      Re: So leave

      It's not just the email account- it's the customer service area of the website if they are your ISP. And if you want cable or fibre in the UK, Virgin (spit) are often your only option.

      1. PC Paul

        Re: So leave

        My Virgin login is an email address from my own domain, so is my contact email from them. You can change it in the 'my profile' area - although I'll happily belivee the original one (blueyonder for me) is still in there somewhere.

  19. WhoAmI?

    To paraphrase Mr Spock...

    The needs of the moron outweigh the needs of the savvy.

    I've been using the generator in my Keepass installation to create the necessary password to the extent that I don't actually know the root password for my Linux machines. Admittedly, the actual password file storing all my secrests isn't password protected, but that's not what we're discussing here...

  20. I Am Spartacus
    Flame

    Sanity check

    If this password policy is 10 alphanumeric characters, does that include upper and lower case characters and the numerics 1-0? If so that means that are 62 possibilities for each character cell. We have to have a character at the start, so the number of possibilities is

    26 x 62^9 = 7E17.

    which is quite a lot. If you can try 100 Million a second, that works out to around 200+ years.

    Even if we don't allow lowercase characters, and if the first character has to be a letter, that still leaves 36 possibilities for each other character cell. So the number of possibilities is 26 x 36^9 = 2.6E15, which is a sizeable number. Or at 100 Million tries per second, 300 days. Not perfect by any means, but not a day.

    To achieve cracking the password in a day, the cracker would have to do 30,000 Million tries per second. Thats only going to be possible with a network of quite beefy computers, and will result in a DDOS attack on Virgin Media. Some may say that they deserve this, I couldn't possibly comment.

    Besides which, modern systems recognise when random attempts are being tried to guess a password and should simple disable the password and text or call the subscriber.

    1. Korev Silver badge
      Pirate

      Re: Sanity check

      You're assuming that people use truly random passwords. I suspect most people will be using ones like Mylovelyd0g or something based on their postcode etc. It wouldn't be hard to order a rainbow table to prioritise weaker passwords.

  21. Anonymous Coward
    Anonymous Coward

    It's okay, Virgin will post (snail-mail) your password to you (I'm not joking!)

    I took over the broadband account at a shared house and when it came to leaving Virgin they claimed they couldn't stop my account as I didn't know the password - it turned out that the account hadn't actually be changed over properly and the previous account holders master password was still the main one (despite everything else, including passwords for email and accessing the account online, were mine).

    Virgin customer service told me the way to find out the password was to request it was sent via Royal Mail, which they subsequently did. I received a letter which told me the password.

    (I was still in touch with the original account holder, but they had forgotten the password they had used as well. They were really interested in whether I'd get their password and were surprised that I did. It was a password that they didn't use anywhere else).

    1. Doctor Syntax Silver badge

      It would be a reasonable protection against a random stranger closing the account.

      The official communication address for a company is the company secretary at the registered address. Send a letter, preferably recorded delivery telling them you no longer wish to use the account from a given date and will no longer be responsible for paying its bills. Whether they then close it is up to them.

  22. Captain Scarlet Silver badge
    Mushroom

    Hacking

    Sorry but in my book cracking a password is not hacking, its cracking.

    1. werdsmith Silver badge

      Re: Hacking

      Sorry but in my book cracking a password is not hacking, its cracking.

      Another one who feels the need to start a comment with an apology for the rest of it.

      1. Huw L-D

        Re: Hacking

        Canadian?

        1. Captain Scarlet Silver badge

          Re: Hacking

          I'm British, sorry I should have started with "Oi you!"

      2. herman Silver badge

        Re: Hacking

        I beg your pardon, but the OP clearly must be Canadian, eh?

    2. Annihilator
      Unhappy

      Re: Hacking

      I agree, but I think we've lost that argument over time. To the point that the word "literally" literally doesn't mean "literally" anymore.

      1. yetanotheraoc Silver badge

        Re: Hacking

        "literally" literally doesn't mean "literally"

        It does to those who don't know what it means. If you know what I mean. :)

        1. Annihilator

          Re: Hacking

          I literally do, yes.

  23. Anonymous Coward
    Anonymous Coward

    It's had problems in the past with security as well

    They've had problems with actually supplying the product they claim to be supplying as well.

    I work a lot on the move, so I have an internet dongle for mobile internet access. A few weeks ago it just refused to get an internet connection. Windows just reported "No intenet". No why, no what, no explanation. Over a frustrating 12 hours I reset the laptop multiple times, I reset the dongle multiple times, I repowered it multiple times, I even factory reset it multiple times.

    Eventually, two days later, when the local library opened, I tried accessing the Virgin Mobile website. Every time I clicked on "dongle" account the screen jerked and jumped to "mobile phone" account. Another 30 minutes eventually found a helpdesk chat function. Eventually got through to a human being and on giving my details they checked my account and then blithely said "oh yes, we terminated that account last week, we don't supply that service any more."

    WWWWWTTTTTFFFFF!!!!????!!!?????

    Did it ever occur to you to actually maybe TELL me you were about to cut me off? Any make the *****ing dongle respond with something other than just "no internet sad face"? It's in charge of all internet traffic, aS the VERY MINIMUM respond to all accesses with a self-generated HTML page telling me what the problem is. And if the problem is "you need to contact Virgin" LET ME CONNECT TO THE FUCKING VIRGIN WEBSITE!!!!!!!

  24. Skiron
    FAIL

    TP-Link print server

    I bought the above item a few years ago and set it all up with a 12 alphanumeric password, and rebooted. Went back to loign and "password incorrect". Eh? Had to reset it and start all over again being extra careful.

    This went on for about 2 hours. Finally I gave up and used a bog standard 8 letter word.

    That worked. Curious, I experimented and finally found out that max length was 10. It accepted my 12 length password but lopped of the last 2 chars!

    1. TRT Silver badge

      Re: TP-Link print server

      Had that one before! It's more common that you would think.

    2. Annihilator

      Re: TP-Link print server

      It's pretty impressive that they can seemingly lop off the characters for the setting of the password, but not for the re-entering of the password.

      Good to see they're clearly not creating software libraries for any of their interfaces.

      1. Martin-R

        Re: TP-Link print server

        Ah I wondered where MetroBank got their password setup code from...

  25. Electronics'R'Us Silver badge
    FAIL

    (In)famous last words

    10 characters is ample enough to keep the password secure. What? In 2019?

    Some years ago (2012 IIRC) the master password generator key for RSA (used in many security dongles for VPN access) was stolen (cracked the server).

    On the Monday after it was revealed, I went to work to find that everyone's login password had been reset whether we were remotely using the VPN or not (reasonable I suppose as someone could potentially have been sniffing around the network).

    The new rules:

    Minimum length = 15 characters

    Must include: upper case, lower case, numbers and special characters.

    My current $CORPORATE login is 16 characters and meets the above requirements.

  26. Eclectic Man Silver badge
    Alert

    Password? What password?

    Direct copy and paste from an email I have just received from an energy supply company:

    "... in the current climate these prices change regularly. You can get a quote and switch tariffs online in just a few taps – you don't even need a password."

    1. Steve Davies 3 Silver badge

      Re: Password? What password?

      I've just had (well at 07:00 today) an email from my leccy supplier informing me that

      "We are sorry to see you go. We have been informed that another supplier is taking over your supply"

      etc etc etc

      But... I only changed my tariff last month and I'm not paying a £150 fine for leaving early.

      Needless to say, the said leccy company knows nothing about this whole thing.

  27. Anonymous Coward
    Anonymous Coward

    Santander

    Santander bank online has a username in numbers, and password uses numbers.... fun. (they call them a "Personal ID" and "Security number")

    I also have some VM mailboxes. One of them got locked the other day. I wonder if it was a similar password forcing?

    I also get annoyed at American websites that refuse a £ in passwords. Specifically a certain "security" company I have to deal with.

  28. Vestas

    In Virgin's defence...

    ...they do actually have higher minimum password standards than most other major UK ISPs.

    For example they do require upper/lowercase characters with at least one number - this is also for the web login on the router and the wifi as well, unlike (last I checked) BT & Sky.

    I'd be more concerned about why the login server is accepting that many incorrect logins from (presumably) the same IP address (even CGNAT) without even rate-limiting login attempts never mind anything else.

    I'm currently on a rolling 30 day contract with them prior to moving somewhere (new build) that has Openreach FTTP and Virgin FTTP. Lots more scope to play them off against each other come renewal time....

  29. mark l 2 Silver badge

    The last time I was with Virgin Media was around 10 years ago, when I switched to another ISP, the day after the switch they disabled access to the email address. So this taught me to never use a ISP provided email again.

    Instead bought a domain name and forward emails sent to my domain to a whatever email provider I want.

    In regards to the owner of this account who says his 10 character password is cracked within a day. This suggests its either someone at VM who is able to reset the password without the customers knowing, or his device is compromised and no matter how long the password was it was destined to get found out. As there is no way that someone should be able to crack a 10 character password with upper and lowercase letters plus numbers within such a short time even if VM were allowing 1000s of login attempts per second. Which I assume they don't?

  30. Ian Johnston Silver badge

    Why do email systems allow squillions of failed attempts to log in? Why not lock things up after, say, three?

    1. Emir Al Weeq

      That would allow a crude denial-of-service attack by blasting every known email on that system with three random passwords.

      Better to enforce a delay between attempts. 10 seconds would hamper brute-force but not bother someone trying to remember which password they'd used.

      1. Ian Johnston Silver badge

        I was thinking of three failed attempts => ten minutes before you can try again. Didn't VAX/VMS have something like that?

        1. herman Silver badge

          An evil friend had a problem with users who would forget their passwords while on holiday, requiring lots of password resets after each school holiday. The problem was solved by setting the minimum password length to 64 characters for new passwords. Nobody ever forgot their old passwords and wanted a new one again.

  31. amantrappedincebu

    hashed passwords

    If you can logon with three randomly chosen characters of your password that surely means the password is stored in plain text. Storing just a hashed number is more secure especially if hashed with the user name.

    1. DJO Silver badge

      Re: hashed passwords

      The could store hashes of every 3 letter permutation but I suspect they probably don't.

  32. Time Waster

    This comment started out short…

    As far as I can see, there are several explanations for this story, ranging in likelihood:

    1 - an attacker really is capable of performing the almost 1000000000000000 attempts required to guess a random 10 alphanumeric password in a day without being blocked / rate limited as a massive DoS.

    2 - the customer in question’s idea of a random 10 character password is “Password12” and they are simply outraged at their inability to make it the intended “Password123” or “Password1!”.

    3 - the attacker has gained access to Virgin Media’s internal password hashes (or plaintext database), making such a daily brute force at least theoretically possible (albeit at significant expense) but is thankfully only interested in messing with a single customer’s account.

    4 - their machine has been compromised (and no amount of password strength is going to help them). If this device is in fact their phone, this may also render some methods of 2 factor authentication rather weaker than expected.

    5 - they are using a password manager and their mystery attacker has managed to gain access to it.

    6 - someone is simply spoofing their email address in emails to known contacts (phone apps commonly steal these, so I assume lists of known contacts are available for purchase to the well heeled hacker) and this reg reader has mistaken this as full access to their account.

    Regardless of which of these possibilities I think is most likely, if I were in this situation, I’d probably start with leaving ISP email accounts in the 90’s where they belong! Likewise, while I understand some limits being placed on passwords (i.e. length / complexity limitations to help avoid exploitation of vulnerable password verification implementations), 10 alpha numerics is pretty shocking in 2022. Putting aside my personal hatred of any enforced “strength” requirements on passwords (adding an “1!” To the end of a dictionary word does not make it a pssword appreciably stronger - especially where this is enforced). How hard can it be to simply verify a user isn’t attempting to use a password on any list of compromised credentials and is not a reasonably guessable combination of dictionary words / phrases)?

  33. PC Paul

    Long running issue

    Every year or two I get the same "your email may be insecure" message from them telling me to change my email password. The first few times I found the same issue I wrote to them about how terrible it was - even ten years ago that password policy was feeble.

    I just stopped using it for email at all and never read it. I asked them to just disable it but they say they can't. The impression I got was that they just kept the old systems from all their early mergers with Telewest, Blueyonder etc. around and had to use the lowest common denominator across all of them.

    I stuck with virgin cable for ages because it was the only way to get the speed I wanted but now we have a Gb fibre alternative locally I'll be off soon, after about 15 years... it's just got way too expensive and their systems are antiquated.

  34. Jow Blob

    Talk Talk was the same for their Pipex email system. I asked for a reset and they offered me a 5 character password all in lower case.

    With no option to change this on their now very legacy system, I got back to them and they would only offer an 8 character one.

    I had no choice but to slap a forwarder onto it and finally shut the account down.

  35. ozzie252

    Another policy which at first glance makes sense is:

    You cannot use the part before the @ in your password.

    But what if you've registered your super cool domain name and have a single character before the @ eh Microsoft?

  36. Anonymous Coward
    Anonymous Coward

    >> I am having a running battle with a hacker who is able to crack a 10-character password used for Virgin or Virginmedia email in less than a day," Nick complained

    Bollocks.

    Even restricting to only letters, and only lower case, that would mean more than 1,633,878,421 requests a second to their frontend authorisation servers to cover all possibilities.

    1. DJO Silver badge

      You don't have to go through every permutation, for 10 letter passwords, "Aaaaaaaaaa" would be guessed quite quickly.

      But assuming he didn't replace the guessed "Aaaaaaaaaa" with "Aaaaaaaaab" you're right to say a direct brute force attack is improbable. A keylogger or a similar exploit is far more likely.

      1. gotes

        Considering he bothered to complain about the issue, I doubt it's an easily crackable password. I feel that there's some detail missing from the story.

  37. razorfishsl

    more interesting is if the internal systems for VM use the same rules....

    becasue that could be a massive problem....

  38. Potemkine! Silver badge
    1. DJO Silver badge

      Now that's unfair, customer data is hugely important to them because selling it is a major source of revenue.

  39. Mr Dogshit
    FAIL

    This is Virgin on the ridiculous

  40. RobLang

    They better hurry up and employ "Business Information Security Practitioner" so that they have someone in post they can ignore.

    https://careers.virginmedia.com/apply/business-information-security-practitioner-00026724/

  41. xyz123

    Insecurity by design.

    Deliberately weak passwords, then when (Like equifax before it) Virgin suffers "a breach" (i.e. the top execs sell off all your data for millions) they can blame the password system and throw some admin/programmer under the bus.

    it's been set this way deliberately so any 'investigation' will stop short of asking where those Virgin execs suddenly got those millions of pounds in their bank accounts from.

  42. Binraider Silver badge

    My experience of talking to NTHell is essentially that if it isn't a conversation that follows one of their assumed "scripts" they have nothing they can fit it into.

    A classic example of assuming what a customer wants just a little bit too far.

    Still use them, mostly because of the high speed connection on offer; however I deliberately avoid any and all other services they provide. Router was the first thing to go into dumb modem only mode; and one of my own choice instead plus PiHole.

    1. xyz123

      Actual call I had to VM support:

      Once told them a router hadn't arrived.

      Can you turn it off then on please?

      No, because it never got delivered.

      So you're refusing to go through basic troubleshooting?

      OK I've turned it off then on.

      Did that help?

      No, because the box never arrived

      OK I will send your case to a tier2 agent

  43. 9Rune5
    Trollface

    In theory, theory and practice are the same.

    However, on its website we note that the company says users should "aim for 8 to 12 characters" and use "symbols… or special characters."

    Virgin probably supported longer passwords before they got hacked by a lazy hacker who fine-tuned their settings.

  44. Anonymous Coward
    Anonymous Coward

    It's worse than reported.

    Their call agents can read the password whole in plain text.

    I wouldn't use a Virgin media email account for anything.

    1. Anonymous Coward
      Anonymous Coward

      Yep. Seems to be a common thing with UK ISPs. Plusnet are the same. Perhaps they all use the same shitty software.

  45. steviebuk Silver badge

    Router

    Their routers are just as shit an insecure password wise.

  46. Anonymous Coward
    Anonymous Coward

    Virgin Media security and basic front-line staff training is woeful.

    My dad has a Virgin Mobile SIM linked to a Virgin Media account and was hacked earlier this year.

    The person(s) involved:

    - gained access to his VM email account

    - took control of his phone number (no MFA required apparently).

    Over 50 hours after they took control of his VM accounts, they gained access to his eBay and PayPal via password resets and attempted over £2000 of fraudulent transactions.

    Before the fraudulent transactions occurred he'd spoken to me about email access problems and I instructed him to contact VM immediately.

    Their helpdesk brushed him off and suggested it was a "router issue" and that they would fix it remotely. Then they scheduled an engineer's visit and logged the the call as a "connectivity issue" despite clearly being told his credentials no longer worked.

    It took him over a week to actually re-gain access to his accounts.

    Thankfully the PayPal transactions failed to clear with his bank as he'd never actually completed the setup process.

    VM are simply not qualified to make any announcements about security.

  47. Henry Wertz 1 Gold badge

    Also please thwart brute force attempts

    Also please thwart brute force attempts. The password policy is not good, but an attacker should also not be able to attempt to log in 1000s and 1000s of times. Shouldn't the account lock, or the IP address be blocked or something if there's 1000s of attempts? I mean obviously the answer should be "yes".

  48. Anonymous Coward
    Anonymous Coward

    Front Page Old Article

    This is from 26th March but came up on my front page what is going on?

    Anyway there are many building societies/banks with similar ridiculous policies and Findmypast is far worse.

  49. Anonymous Coward
    Anonymous Coward

    email (in)security

    I had an email account that was actually downgraded security-wise...

    They used to allow alphanumeric with upper and lowercase and special chars but later removed the ability to use special chars.

    They also only used encryption at login but then redirected to mail in regular http.

    I called them out on that but they claimed it "didn't support encryption".

    However, after Google's Chrome browser started flagging http sites as insecure, the mail server magically started serving over https (partially) but allowed ads to run from regular http.

    They also stored passwords in plaintext. I know this because they emailed me my old password once instead of resetting it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like