Reg reader rages over Virgin Media's email password policy A Register reader has raised concerns over UK ISP Virgin Media's password policies after discovering he couldn't set a password longer than 10 characters or one that includes non-alphanumeric characters. Our reader Nick told us he was facing repeated attempts to take control of an @virgin.net email account he owns – adding …
It really is laughable that they consider this to be sufficient to secure _any_ system available online, let alone customer email accounts. I dread to think what infrastructure they have behind this that requires it be alphanumeric and can't have the field resized beyond 10 characters....
Exactly!
Ten uppercase/lowercase/digits, using random characters, is *extremely* secure!
I can only guess few people actually bother to work out the number of combinations that gives.
There is no way such a password can be repeatedly cracked in a day or so.
The victim must have something like a keylogger or RAT on their machine that's allowing the cracker to read the password they are entering, for them to get is so quickly.
"26,614,008,303 a second for a whole year" - correct, and totally impossible.
It takes time to try a password, even with an automated system, anything from (I'd estimate) ten milliseconds upwards for the entry, test and response using a remote internet connection.
That means a likely maximum of under ten million attempts per day - and in excess of a hundred million years for the average search time to match a random password.
And does Virgin not even have a lockout period after a number of fails? That slows cracking attempts by orders of magnitude.
Assuming local decryption (so no network latency), security.org estimate that a random 10-digit alphanumeric password would take around 7 months to crack. So I would tend to agree that if it's being cracked in a day there's something else going on.
According to https://d1rytvr7gmk1sx.cloudfront.net/wp-content/uploads/2022/03/Hive-Systems-Password-Table-1-770x346.jpg?x54432 you're looking at 3 days with modern 2022 hardware with local decryption. Given how rubbish Virgin's consumer email passwords are, what's the betting that someone's got access to the database and is cracking the hashes directly?
” According to https://d1rytvr7gmk1sx.cloudfront.net/wp-content/uploads/2022/03/Hive-Systems-Password-Table-1-770x346.jpg?x54432 you're looking at 3 days with modern 2022 hardware with local decryption.“
1) I think I trust security.org over a random JPEG
2) Even assuming the table is correct, it says 3 weeks for a 10-digit alphanumeric pw, not 3 days.
I've actually refused to sign-up on sites that don't offer secure passwords - I use a minimum of 25 characters, with special characters, numbers etc. And I always set 2FA, where possible. And, again, I've started deleting accounts that don't offer 2FA, if those accounts are important.
Heck, even my Windows password, that I type in dozens of times each day is well over 10 digits and includes special characters...
> Does this policy also apply to the custoemr account area? If so this is piss poor.
Nod, I had a second user account for my place set up for me recently so that I could (I hoped) get at the service status page and associated controls while WFH during the pandemic without needing to call the helpline or to have the bill payer's master password. I had thought the initial password had been a lazily-made choice until I tried to set my own and realised the rules were awful.
I was also hoping better warnings of planned outages might become available (earlier grumbling applies) but no such luck!
Yup. I've never been able to get into my account. Coming up on eight years now. Cable's fast and the connection's solid as a rock, so I've rarely needed to, but goddamn. Website's broken, contact forms don't work, email addresses bounce back. Occasionally I phone them up to tell them to put the price down and just leave it at that. I assume there's no way for me to cancel the account and I'm stuck with it till the end.
I agree but you only have to do it once and the longer you leave it the bigger the job gets.
However, there's no problem in running an ISP and non-ISP address side-by-side so get your independent address first and then take as long as you need to register your change of address with whoever needs you want to know your new address.
For extra advantage register your own domain which allows you to switch the MSP if need be. Since ditching my ISP (Nildram which was fine until a series of take-overs left it in Dido-land) I've switched not only ISP twice more but also switched domain registrar/MSP (ending up with Mythic Beasts and see no reason to swap again).
I use iCloud email in conjunction with its custom email DNS feature, meaning I can easily direct emails for someone@somedomain.com to iCloud mail. I already pay £2.49 a month for iCloud storage, so the emails and custom email DNS come at no extra charge. That's nothing, really, considering the whole family can share this feature, and a domain can be registered for around $15 per year.
https://9to5mac.com/2021/09/07/how-to-set-up-an-icloud-mail-custom-email-domain-video/
My logon for Virgin's customer area has never been a Virgin email address. Can't remember exactly when I moved to e-billing (must be 5+ years ago) but I've definitely never been forced to use a Virgin email as a username. Can't comment on Virgin email issues as I've never used it - no idea if I even have one.
Agree though that their password policy is cr4p. Seem to remember having trouble setting a valid password and only finding the 10 char limit after searching around. Also fairly sure I sent them some 'constructive feedback' at the time.
Simple solution. Don't use an ISP-provided email service.
This, every time. I've had various non-technical friends fail to understand this, and then complain when they change ISPs that the old ISP won't let them access "their" email without paying for what was free. As I point out, unless you own the domain ("the bit after the @" for non-techies) it's not your email address, it's someone else's email address that they're letting you use for now with no guarantees for the future.
Having a proper email client that downloads the emails to a local store, probably. You can't do that with these modern webmail interfaces.
With my setup I use a proper client at home (giving me a copy of the emails), and use the webmail client if I - say - have to check my emails at work.
You are correct. In the UK, ISP's have to allow ex-customers access to their ISP email address for...oooh, I think a month or maybe 2 months, after ending the contract. Sorry, can't remember.
Some will happily keep the email trundling along indefinitely, provided you access it every now and again.
I ditched Virgin about 8 months ago, due to excessive wallet gouging and my email address with them is still merrily bumbling along. If only they hadn't marked me down as their personal cash cow, I'd still be with them.
I now have exactly the same level of service with my new provider, at a third of the price that Virgin wanted, with assurances that it will increase by only £2 a month once the introductory offer has finished.
Whoopeeee! no more brinkmanship dealings with retention staff every year.
Exactly this, I've been a Virgin Media customer on and off for over 20 years (and I worked for them for a while too), but I've never used their email service (I mentioned I used to work for them, maybe that's a clue as to why,....) but why would you want to be tied down to your ISP, to keep your email address? With a Mobile, we can port our number if we change supplier, but email, change and you're boned. So I have a selection of Yahoo and Hotmail addresses for various tasks.
I am suffering this ISP email tie in at present. It is right pain in the arse to change all my email contact details. All I wanted to do was get a cheaper deal on basic internet provision, but the email factor has made this difficult. I am trying to migrate everything to Gmail, which is sort of working, but I still have infrequent contacts on the old address. I am not saying the Gmail is the best email provider, but at least I am not tied to my ISP because of email provision.
My former boss came across this email tie in problem with his business ISP account, and transferring contact details was a major pain. Hundreds of customers and suppliers. All I have to deal with is stuff like online news, utility suppliers, various hospital contacts, and so on. I have a text file listing the transfers. It is slow progress. However, there is progress, with much bureaucratic faff, most of it inflicted by ignorant algorithms. Bureaucratic faff is never pleasant, but automating it peculiarly cruel.
You know when you see a policy like that they're storing passwords as plain text. Microsoft are also guilty of password upper limits so are several banks along with specific character subsets.
If you storing passwords: (One way uniquely salted hashes using a slow strong hashing algorithm and compare in constant time) then the only characters that matter are null chars as they cause some hashing algorithms to exit so remove those otherwise don't restrict.
Also every bone in the manager's crotch (that's what I'll break) for deciding to prevent pasting passwords into form fields.
Anyone responsible for setting password policy should be aware that rainbow tables for up to 14 characters are easily available which reduces the pasword crack time for passwords shorter than 14 characters to trivial lengths of time. All the bad guy has to do is get your password hash and boom, he has your password (providing its a password of < 14 characters) - ok it may take a while to find in the table but its much quicker than trying all the possible combinartions against the login.
I expect that in this case the Virgin login page trivially hashes the password and passes it over to the server for storage, so the bad guy in question just has to scan his rainbow table (hence crack times less than a day) and login. Virgin's security mechanisms aren't triggered and our mark gets hacked once more.
Long passwords are best boys and girls - obligatory XKCD
Because knowing the password hash alone isn't useful to the hacker - they still need your actual password to login - hence the other posters comments regarding rainbow tables - which are precomputed tables of corresponding hashes for all possible passwords up to a certain length. I hope I am not woefully misunderstanding your question.
No, it doesn't mean that. It's more like peering through an unfrosted window to see a door's key code written on the wall.
For a long long time, huge numbers of websites accepted a user's login on a form that is used to compute a crappy SQL command. e.g.
"SELECT TOP 1 * FROM [Users] WHERE [User] = ' " + $User + " ' AND password=' " + $Password + " ' "
which, if jbloggs 1234 is entered, maps to a string
SELECT TOP 1 * FROM [Users] WHERE [User] = 'jbloggs' AND password = '1234'
But what happens if someone, instead of typing jbloggs, types ' OR 1=1 ;
A crap website will, from this, construct a SQL command:
SELECT TOP 1 * FROM [Users] WHERE [User] = '' OR 1=1; AND password = '1234'
which will successfully find the first user in its [USERS] table, regardless.
Oops.
Decent websites won't do things this way, and certainly those that engage in penetration testing. But I daresay there are still quite a few around that are exposed to SQL injection of this kind.
and move your email to a provider that takes security at least half serious rather than none at all as VM clearly don't care.
Yes, it can be difficult but it is possible if you take your time.
However, if you are fighting a determined hacker then you have to go for broke.
VM need to be hauled up before the ICO not that they can do anything but any publicity that shames them can't be bad.
Way back in the dark ages, when I first got Cable (and broadband), I set up a Cable and Wireless email address. I never really used it beyond as a login for some websites. Then, a couple of years after NTL took over, I got an email stating that they were migrating the old Cable and Wireless emails over to their system, and, for some reason they never explained, mine would not be migrated.
From what I have read on here (and on several Cable Users forums, one of which I used to moderate), I've not missed much by not having a Virginmedia email address.
It never really bothered me that I lost that email address, but I'm now glad I did.
'"We do advise to use a password between 6-10 characters long, including at least 1 number, 1 capital letter, 1 lower case letter and ensuring that it isn't your surname or first name."'
Depending on the attack type, such rules may or may not be completely irrelevant. They do apply to blind brute forcing. but (apart from the bleeding obvious 'don't use your name') they demonstrate complete failure to understand it. In reality the code space increases very much faster for string length than for symbol set size, so longer is more resistant than 'more complex' (and is also more memorable for the legitimate user - a frequently forgotten but rather important consideration). However the greatest protection against blind brute forcing is limitation of retries, but I practically never see this implemented.
There are actually multiple alternative attack types against which such rules have little or no protective effect. Often the responsibility devolves on the system provider rather than the user - for example against password database exfiltration for offline cracking (the basis for almost all documented password quality analyses).
Password policies do one thing and one thing only: help hackers generate the rainbow tables more easily, well done in handing out they keys to the kingdom. The thing seldom spoken about is common password topologies https://korelogic.com/Resources/Presentations/bsidesavl_pathwell_2014-06.pdf note this is from 2014!
The best password is the one you don't remember
https://xkcd.com/538/
Brute-forcing a ten character random mixed-case alphanumeric password is a non-trivial task, taking months or years, according to the references I just looked at. But even if the hacker can do it considerably faster than that, as some other posters are suggesting, he has to have the hash first. So in order to have a "running battle" with a hacker cracking subsequently changed passwords within a day, the hacker has to have ongoing access to the hashes, which means the problem would have to be a lot bigger than a poor password policy. Now that could be what's happening; a hacker could have managed to access Virgin Media's servers, have ongoing access to password hashes, and be going to the not inconsiderable trouble of cracking and re-cracking this particular guys password, for not-immediately-obvious gain. But does it not seem more plausible that this guy has gotten his machine infected with a RAT or keylogger or whatever, and the hacker is simply seeing every password change?
I think you must be right. 10 character password of upper case, lower case and digits is (26x2+10)^10 = 8E17 possibilities.
There are 86400 seconds in a day so if he is brute forcing it, the attacker must be testing ~ 8E7 / 86400 = 9 trillion passwords per second.
Vaguely plausible (though expensive) using 100s of AWS instances against a weak hash. But completely infeasible over the internet.
It's slightly more than that, as that excludes passwords that might be shorter than 10 characters which the attacker also has to check. But yeah, I had the same thought. Brute forcing a 10 alphanumeric character is definitely a non-trivial task.
Interestingly (depending on your view point...), adding 20 additional special characters only gives you around 16x as many possible passwords (82^10 divided by 62^10). Adding an additional alphanumeric character to the length of the password (taking it to 11) gives you 62x as many passwords (62^11 divided by 62^10).
Length is way more useful than special chars. In this use case, size definitely matters.
Confusingly, (and somewhat ironically) password rules can actually *weaken* the password set. If you insist on "at least one upper, lower, number and special character", you've removed some password possibilities that the brute force attack doesn't need to try anymore. But equally you've stopped a lot of dictionary attacks, so it probably balances out...
There's a guide to password strength that suggests 10 characters, alphanumeric only, will take 7 months to brute force at most.
12 character including alphanumeric and special, is 34,000 years.
Pass Phrases are best as they are easier to remember and, more importantly, LONG. Remembering the pass phrase (or three + random words, miss-spelt and added substitutions as I've been recommending to friends) being important as you're not tempted to Write the damn thing down or use a password locker - which is about as secure as writing the damn thing down in a note book (Seems secure until someone finds it, at which point they have it and you might not).
That this case seems to be a 10 character limit and cracked the same day: That suggests there's something else happening, such as man-in-the-middle, or a compromised machine, or they've got access to a password store. Then they can just get the password from there instead. Or they're using a shorter list of known passwords, or there's a pattern to the password making 'guessing' it that much easier.
Indeed, most hackers won't bother with true brute force: Those can be easily detected (remember that old 'get it wrong x times and you have to wait an hour. Or two?). Rather, they'd like you to believe they are brute forcing, while they sit there and get your new password from your machine, or password store.
This, of course, is why 2fa or MFA is so important these days.
I agree words are a better option but no password manager? You're instantly back to Joe Public using the same 3 word phrase over multple sites. I have around 125 personal site logins, all with distinct min 12+ char passwords, around 10%-15% have 2FA where it's offered. The 2FA is offered by my password locker and the passwords ALL of them, have reminders to be auto-updated every 3 months max. Every day I get a list of "due to expire", I then assess if need the site anymore, request deletion on site if not else get the locker to auto-update the password in a few clicks. Rotating passwords is just one of those 10 min daily tasks in the morning.
Password management is a daily chore that must be done just like the washing clothes, or doing the dishes, etc, if you don't want some wanker from some backwater shithole emptying your bank account in 5 secs flat!
People need to stop making excuses and get used daily/weekly password maint being a chore just like all your other household chores. If not then get off the fricking internet before you lose everything. If it helps people, imagine every hacker has Putin's face laughing, 'cos the bad guys on the internet really couldn't care less about anyone but themselves.
People need to stop making excuses and get used daily/weekly password maint being a chore just like all your other household chores.
Never going to happen, people will just not stand for that. What is really needed is a better internet security process. The password method is just not designed for dozens and dozens of different logins.
What i find unacceptable is that many password managers store your passwords on their systems. This allows you to use multiple systems with a single password manager but then increases the risk of compromise because the passwords are NOT in your control, you have no idea who can access the password data remotely and you have to blindly accept their assurances about how secure they are storing (and transmitting) the password data..
For me a password manager should ONLY store passwords locally and encrypted.
"There's a guide to password strength that suggests 10 characters, alphanumeric only, will take 7 months to brute force at most. 12 character including alphanumeric and special, is 34,000 years."
The requisite equation for code space is character set size to the power of password length. Thus 10 characters, alphanumeric lower case only is approx 3.656e15. Statistically half that number of attempts is needed for a blind brute force attack, so that's roughly 1.8e15 attempts. For 12 characters and a 96 symbol space, it's just over 3e27 attempts. But the attacker will also have to test for all the shorter alternatives and smaller character sets as well, so the average total required attempt count is the sum of all the mathematical code spaces divided by two.
The required time would depend on the speed of your machine, but nobody does blind brute forcing these days. If they do brute force at all (and there are other more efficient ways) they start from the widely publicised obvious password sets, which typically makes it much faster. However, longer passwords are significantly less prevalent in the public sets, so quite apart from the mathematical advantage of greater length they're disproportionally more resistant to discovery.
Yes but considering people remember/reuse their passwords and the sheer number of password leaks reducing that is easy.
You're also assuming its hashed. Considering the password rules I suspect its stored in a db table unencrypted so certain characters don't cause an SQL injection, if it was hashed first it wouldn't matter as the resultant string would only contain characters valid for hexadecimal.
Brute for hash cracking assuming they have the DB is possible with a few GPU's unless the algorithm used is expensive to run on a GPU like say an Argon2D algorithm.
Also worth considering here is that if someone out there did indeed have some "secret sauce" brute forcing method, that's not the whole story.
How many incorrect attempts are allowed before the account gets locked, captcha'd or at least naughty stepped for a period?
If anything like that is in place, brute forcing timescales start making geological change look rapid.
that when you phone VM customer service you have to enter three specified characters from your password on the phone keyboard and repeat that "security check" when you speak to a representative, the problem being that these characters have to be from the password you set when you first opened an account with them regardless of how many times you have changed the password since then.
You can call them from any phone so if someone knows you're original password they can change/cancel your account or services without further checks.
I am with VM for broadband, and whilst I have no real love for their CS approach and team, in my experience they do also require additional methods of validating your identity when requesting changes to your products or services. I have phoned up several times in the past and they have asked for further combinations of other information such as last 3 or 4 digits of bank account or phone number, select digits from the account number, last bill date or value etc. amongst others.
I take it you must have been calling from a non-VM line in which case it's good to know they do ask for further verification in that case. I do now recall that several years ago when the characters I gave weren't a match - I only realised later they were checking against the original one - I was asked for the last bill date and amount.
I called them last month (to haggle the proposed price increase of 3% down to a 30% discount) and was asked to confirm that the phone I was using was the one associated with the account and then the only other check was the three password characters.
You've nailed it, that will be why.
Probably too complex for ordinary users to have a separate "email password" and "phone password".
What happens if someone tries to brute-force your account through the phone keypad method? 3 digits x (choice of 0,1,2,3,4,5,6,7,8,9) = 1000 tries. Those odds don't seem too bad?
"these characters have to be from the password you set when you first opened an account"
This looks as if it might the source of Nick's problem: his adversary has that password. Did Nick take over an existing installation? It might be that the previous customer is continuing to use the Virgin email address and is using the access the original password gives him to counter Nick's attempts to change the current password.
Problem is there is no standard for pwds, each site has its own rules in terms of minimum length, none alpha-numeric, forced inclusion of upper case and numeric characters and its a bugger to remember which site has which rules. In some cases the pwd rules are not explicitly given and you only find out after your sign-up is rejected.
2FA should be enforced everywhere but in nicer ways than the usually trip to the default 2FA (forgotten password link) due to a particular sites decision on what your pwd should contain.
There's government guidance/recommendation for password security. The problem is this is UK government (in this instance), not an international guidance as a company outside the UK won't care what the UK recommend.
Here's a link to it (or, if you'd rather be safe, google UK Cyber Security Password Advice)...
https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
The needs of the moron outweigh the needs of the savvy.
I've been using the generator in my Keepass installation to create the necessary password to the extent that I don't actually know the root password for my Linux machines. Admittedly, the actual password file storing all my secrests isn't password protected, but that's not what we're discussing here...
If this password policy is 10 alphanumeric characters, does that include upper and lower case characters and the numerics 1-0? If so that means that are 62 possibilities for each character cell. We have to have a character at the start, so the number of possibilities is
26 x 62^9 = 7E17.
which is quite a lot. If you can try 100 Million a second, that works out to around 200+ years.
Even if we don't allow lowercase characters, and if the first character has to be a letter, that still leaves 36 possibilities for each other character cell. So the number of possibilities is 26 x 36^9 = 2.6E15, which is a sizeable number. Or at 100 Million tries per second, 300 days. Not perfect by any means, but not a day.
To achieve cracking the password in a day, the cracker would have to do 30,000 Million tries per second. Thats only going to be possible with a network of quite beefy computers, and will result in a DDOS attack on Virgin Media. Some may say that they deserve this, I couldn't possibly comment.
Besides which, modern systems recognise when random attempts are being tried to guess a password and should simple disable the password and text or call the subscriber.
It's okay, Virgin will post (snail-mail) your password to you (I'm not joking!)
I took over the broadband account at a shared house and when it came to leaving Virgin they claimed they couldn't stop my account as I didn't know the password - it turned out that the account hadn't actually be changed over properly and the previous account holders master password was still the main one (despite everything else, including passwords for email and accessing the account online, were mine).
Virgin customer service told me the way to find out the password was to request it was sent via Royal Mail, which they subsequently did. I received a letter which told me the password.
(I was still in touch with the original account holder, but they had forgotten the password they had used as well. They were really interested in whether I'd get their password and were surprised that I did. It was a password that they didn't use anywhere else).
It would be a reasonable protection against a random stranger closing the account.
The official communication address for a company is the company secretary at the registered address. Send a letter, preferably recorded delivery telling them you no longer wish to use the account from a given date and will no longer be responsible for paying its bills. Whether they then close it is up to them.
They've had problems with actually supplying the product they claim to be supplying as well.
I work a lot on the move, so I have an internet dongle for mobile internet access. A few weeks ago it just refused to get an internet connection. Windows just reported "No intenet". No why, no what, no explanation. Over a frustrating 12 hours I reset the laptop multiple times, I reset the dongle multiple times, I repowered it multiple times, I even factory reset it multiple times.
Eventually, two days later, when the local library opened, I tried accessing the Virgin Mobile website. Every time I clicked on "dongle" account the screen jerked and jumped to "mobile phone" account. Another 30 minutes eventually found a helpdesk chat function. Eventually got through to a human being and on giving my details they checked my account and then blithely said "oh yes, we terminated that account last week, we don't supply that service any more."
WWWWWTTTTTFFFFF!!!!????!!!?????
Did it ever occur to you to actually maybe TELL me you were about to cut me off? Any make the *****ing dongle respond with something other than just "no internet sad face"? It's in charge of all internet traffic, aS the VERY MINIMUM respond to all accesses with a self-generated HTML page telling me what the problem is. And if the problem is "you need to contact Virgin" LET ME CONNECT TO THE FUCKING VIRGIN WEBSITE!!!!!!!
I bought the above item a few years ago and set it all up with a 12 alphanumeric password, and rebooted. Went back to loign and "password incorrect". Eh? Had to reset it and start all over again being extra careful.
This went on for about 2 hours. Finally I gave up and used a bog standard 8 letter word.
That worked. Curious, I experimented and finally found out that max length was 10. It accepted my 12 length password but lopped of the last 2 chars!
10 characters is ample enough to keep the password secure. What? In 2019?
Some years ago (2012 IIRC) the master password generator key for RSA (used in many security dongles for VPN access) was stolen (cracked the server).
On the Monday after it was revealed, I went to work to find that everyone's login password had been reset whether we were remotely using the VPN or not (reasonable I suppose as someone could potentially have been sniffing around the network).
The new rules:
Minimum length = 15 characters
Must include: upper case, lower case, numbers and special characters.
My current $CORPORATE login is 16 characters and meets the above requirements.
I've just had (well at 07:00 today) an email from my leccy supplier informing me that
"We are sorry to see you go. We have been informed that another supplier is taking over your supply"
etc etc etc
But... I only changed my tariff last month and I'm not paying a £150 fine for leaving early.
Needless to say, the said leccy company knows nothing about this whole thing.
Santander bank online has a username in numbers, and password uses numbers.... fun. (they call them a "Personal ID" and "Security number")
I also have some VM mailboxes. One of them got locked the other day. I wonder if it was a similar password forcing?
I also get annoyed at American websites that refuse a £ in passwords. Specifically a certain "security" company I have to deal with.
...they do actually have higher minimum password standards than most other major UK ISPs.
For example they do require upper/lowercase characters with at least one number - this is also for the web login on the router and the wifi as well, unlike (last I checked) BT & Sky.
I'd be more concerned about why the login server is accepting that many incorrect logins from (presumably) the same IP address (even CGNAT) without even rate-limiting login attempts never mind anything else.
I'm currently on a rolling 30 day contract with them prior to moving somewhere (new build) that has Openreach FTTP and Virgin FTTP. Lots more scope to play them off against each other come renewal time....
The last time I was with Virgin Media was around 10 years ago, when I switched to another ISP, the day after the switch they disabled access to the email address. So this taught me to never use a ISP provided email again.
Instead bought a domain name and forward emails sent to my domain to a whatever email provider I want.
In regards to the owner of this account who says his 10 character password is cracked within a day. This suggests its either someone at VM who is able to reset the password without the customers knowing, or his device is compromised and no matter how long the password was it was destined to get found out. As there is no way that someone should be able to crack a 10 character password with upper and lowercase letters plus numbers within such a short time even if VM were allowing 1000s of login attempts per second. Which I assume they don't?
An evil friend had a problem with users who would forget their passwords while on holiday, requiring lots of password resets after each school holiday. The problem was solved by setting the minimum password length to 64 characters for new passwords. Nobody ever forgot their old passwords and wanted a new one again.
As far as I can see, there are several explanations for this story, ranging in likelihood:
1 - an attacker really is capable of performing the almost 1000000000000000 attempts required to guess a random 10 alphanumeric password in a day without being blocked / rate limited as a massive DoS.
2 - the customer in question’s idea of a random 10 character password is “Password12” and they are simply outraged at their inability to make it the intended “Password123” or “Password1!”.
3 - the attacker has gained access to Virgin Media’s internal password hashes (or plaintext database), making such a daily brute force at least theoretically possible (albeit at significant expense) but is thankfully only interested in messing with a single customer’s account.
4 - their machine has been compromised (and no amount of password strength is going to help them). If this device is in fact their phone, this may also render some methods of 2 factor authentication rather weaker than expected.
5 - they are using a password manager and their mystery attacker has managed to gain access to it.
6 - someone is simply spoofing their email address in emails to known contacts (phone apps commonly steal these, so I assume lists of known contacts are available for purchase to the well heeled hacker) and this reg reader has mistaken this as full access to their account.
Regardless of which of these possibilities I think is most likely, if I were in this situation, I’d probably start with leaving ISP email accounts in the 90’s where they belong! Likewise, while I understand some limits being placed on passwords (i.e. length / complexity limitations to help avoid exploitation of vulnerable password verification implementations), 10 alpha numerics is pretty shocking in 2022. Putting aside my personal hatred of any enforced “strength” requirements on passwords (adding an “1!” To the end of a dictionary word does not make it a pssword appreciably stronger - especially where this is enforced). How hard can it be to simply verify a user isn’t attempting to use a password on any list of compromised credentials and is not a reasonably guessable combination of dictionary words / phrases)?
Every year or two I get the same "your email may be insecure" message from them telling me to change my email password. The first few times I found the same issue I wrote to them about how terrible it was - even ten years ago that password policy was feeble.
I just stopped using it for email at all and never read it. I asked them to just disable it but they say they can't. The impression I got was that they just kept the old systems from all their early mergers with Telewest, Blueyonder etc. around and had to use the lowest common denominator across all of them.
I stuck with virgin cable for ages because it was the only way to get the speed I wanted but now we have a Gb fibre alternative locally I'll be off soon, after about 15 years... it's just got way too expensive and their systems are antiquated.
Talk Talk was the same for their Pipex email system. I asked for a reset and they offered me a 5 character password all in lower case.
With no option to change this on their now very legacy system, I got back to them and they would only offer an 8 character one.
I had no choice but to slap a forwarder onto it and finally shut the account down.
>> I am having a running battle with a hacker who is able to crack a 10-character password used for Virgin or Virginmedia email in less than a day," Nick complained
Bollocks.
Even restricting to only letters, and only lower case, that would mean more than 1,633,878,421 requests a second to their frontend authorisation servers to cover all possibilities.
You don't have to go through every permutation, for 10 letter passwords, "Aaaaaaaaaa" would be guessed quite quickly.
But assuming he didn't replace the guessed "Aaaaaaaaaa" with "Aaaaaaaaab" you're right to say a direct brute force attack is improbable. A keylogger or a similar exploit is far more likely.
Insecurity by design.
Deliberately weak passwords, then when (Like equifax before it) Virgin suffers "a breach" (i.e. the top execs sell off all your data for millions) they can blame the password system and throw some admin/programmer under the bus.
it's been set this way deliberately so any 'investigation' will stop short of asking where those Virgin execs suddenly got those millions of pounds in their bank accounts from.
My experience of talking to NTHell is essentially that if it isn't a conversation that follows one of their assumed "scripts" they have nothing they can fit it into.
A classic example of assuming what a customer wants just a little bit too far.
Still use them, mostly because of the high speed connection on offer; however I deliberately avoid any and all other services they provide. Router was the first thing to go into dumb modem only mode; and one of my own choice instead plus PiHole.
Actual call I had to VM support:
Once told them a router hadn't arrived.
Can you turn it off then on please?
No, because it never got delivered.
So you're refusing to go through basic troubleshooting?
OK I've turned it off then on.
Did that help?
No, because the box never arrived
OK I will send your case to a tier2 agent
However, on its website we note that the company says users should "aim for 8 to 12 characters" and use "symbols… or special characters."
Virgin probably supported longer passwords before they got hacked by a lazy hacker who fine-tuned their settings.
Virgin Media security and basic front-line staff training is woeful.
My dad has a Virgin Mobile SIM linked to a Virgin Media account and was hacked earlier this year.
The person(s) involved:
- gained access to his VM email account
- took control of his phone number (no MFA required apparently).
Over 50 hours after they took control of his VM accounts, they gained access to his eBay and PayPal via password resets and attempted over £2000 of fraudulent transactions.
Before the fraudulent transactions occurred he'd spoken to me about email access problems and I instructed him to contact VM immediately.
Their helpdesk brushed him off and suggested it was a "router issue" and that they would fix it remotely. Then they scheduled an engineer's visit and logged the the call as a "connectivity issue" despite clearly being told his credentials no longer worked.
It took him over a week to actually re-gain access to his accounts.
Thankfully the PayPal transactions failed to clear with his bank as he'd never actually completed the setup process.
VM are simply not qualified to make any announcements about security.
Also please thwart brute force attempts. The password policy is not good, but an attacker should also not be able to attempt to log in 1000s and 1000s of times. Shouldn't the account lock, or the IP address be blocked or something if there's 1000s of attempts? I mean obviously the answer should be "yes".
I had an email account that was actually downgraded security-wise...
They used to allow alphanumeric with upper and lowercase and special chars but later removed the ability to use special chars.
They also only used encryption at login but then redirected to mail in regular http.
I called them out on that but they claimed it "didn't support encryption".
However, after Google's Chrome browser started flagging http sites as insecure, the mail server magically started serving over https (partially) but allowed ads to run from regular http.
They also stored passwords in plaintext. I know this because they emailed me my old password once instead of resetting it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
