Interesting report on TheRegister today
 

Apparently some security company decompiled and audited VM's javascript code on the login pages. Theres a section that not only assesses password strength based on a number of metrics, but also applies a 'bad word' filter to the passwords, not allowing certain words, or words containing certain words.

http://www.theregister.co.uk/2014/09...rom_passwords/

The general consensus for applying any form of wordfilter from a password input is that the passwords are sent and stored in plaintext, and a CSR seeing a defamatory word might get upset.

I tend to agree with this point of view, I can't see any other reason for applying a wordlist filter on the use of 'bad words' on someones password that should be hashed and stored as a monodirectional hash.

Just wondering if anyone here has any comments on this report?

Re: Interesting report on TheRegister today
 

Link doesn't work, probably censored by the forum software blocking part of the title :P
---------- Post added at 15:07 ---------- Previous post was at 15:05 ----------
Haha - found it. The list of blocked words is interesting to say the least, it does contain a lot of offensive/curse words but also blocks obvious words/phrases such as 'abc123' and 'password'

I do wonder how many are blocked by this forum...

Ahem [Edit] Dammit what is it with this forum deleting newlines.

---------- Post added at 15:20 ---------- Previous post was at 15:07 ----------

The reasoning behind it is curious though. At first glance it's implying that it is stored in plaintext and is expected someone may have to read or speak it at some point.

However the plaintext bit is not neccessarily true. Last time I was with VM, passwords were not case sensitive. And according to various forums, VM CSR do routinely ask for your password when telephoning.

In such a scenario, even if it is hashed the above system has merit. Say you phone up and they ask you for your password. They may not be able to see your password, but just enter what you say into a verification system that hashes it and compares it to the stored hash. Thus there's good reason to prevent you having a password of 'fart-rapist-pedo-spaz' in case CSR had to type it in at some point.

And the fact that it's done client side implies the server does not see or store a plaintext password. Although I'm pretty sure telewest have in the past stored plaintext passwords...

Re: Interesting report on TheRegister today
 

Passwords are stored in plaintext, the agents can see your password on your account. There is no validation beyond what the agent thinks is "valid". If your password is "passw0rd1" and you tell the agent "It's pass word one", the agent might say that's ok or they might not. They should really be more careful than that but it's not a guarantee.

Do note however, your "account" password is not necessarily the same as your email password (which is stored properly and cannot been seen by agents, only reset).

Re: Interesting report on TheRegister today
 

Just to be clear the article on the The Register is talking about the My VM password, not the telephone account password / challenge.

Re: Interesting report on TheRegister today
 

Ben - correct me if I'm wrong (it's been a while since I signed up to VM), but when you sign up for a new account, it asks for a username/password - isn't that the same password that's used on both MyVM and for the account challenge? They can be changed independently afterwards, but during that first signup I am vaguely sure it only asks you for one password.

Re: Interesting report on TheRegister today
 

No, they aren't the same - it asks for the account challenge when you sign up for services on the sales website, but the My VM account isn't created until you either activate broadband (where it's generally required) or choose to do so if you just have TV and / or Telco.

Re: Interesting report on TheRegister today
 

Could you please change that jumping cat, its bringin on one of me migranes

D

Re: Interesting report on TheRegister today
 

But it's a core part of what makes Kushan himself. Changing it would be like changing his entire personality. Please don't.

If you dislike the avatar that much you can just hide or block it.

Re: Interesting report on TheRegister today
 

Ahh, either it has changed since they revamped the site a few years ago (Would have signed up in about 2008) or I'm just not remembering it correctly, but I do remember thinking that it was odd that the agents could see my password that I used for some things (and don't worry, I've since changed said password and use a password manager these days).

The last time I tried changing the cat, it clawed my face off. Never again.

Re: Interesting report on TheRegister today
 

Oh I say!

Re: Interesting report on TheRegister today
 

Just show him this if he disagrees.

Re: Interesting report on TheRegister today
 

Back when myVM was overhauled a few of us raised concerns about the password requirements, they do seem pretty weird and some of them are hardly best practice when it comes to security.

Re: Interesting report on TheRegister today
 

I hate restrictive password rules, some are sensible but if too strict either people will write them down or you end up with lots of calls about password issues. This is especially true where password changes are enforced.

I use LastPass to generate passwords for lots of sites (not banking, no connection for these) so I don't know what they are, just random set of letters, numbers, symbols. Other tools also offer the same sort of function.

Re: Interesting report on TheRegister today
 

I also use lastpass, absolutely love it. Made out like a bandit recently with their 12month + 6month subscription giveaway, before they nuked it.

Still, would highly recommend it, the free version is brilliant.

Re: Interesting report on TheRegister today
 

Kush, I highly agree with you, Lastpass is brilliant. Going on what was said further up. Ben is correct, the password you set up with customer services is totally different to your MyVirgin account, IRRC you set it up after going through the security checks that you may have been used to.

Although passwords first entered onto websites are done so in plain text they are normally stored on the site (nowadays) in 256Mb encription. Quas will most likely confirm.

I am still trying to figure out the reason for the Original post??????

Re: Interesting report on TheRegister today
 

256bit encryption. The password for myvirginmedia and email are the same. I don't really use my VM email account a lot and when I got my new pc a few months and went to set everything up again I couldn't remember the password. I went to sign into myvirginmedia and clicked on forgot password and went though the reset process and as soon as I reset my password for myvm I put the new password in my email client and I could log in straight away. The reverse was true before that though, went I initially setup my myvm account the password I had to use to sign in was my VM account password which is my email password.

Re: Interesting report on TheRegister today
 

Yup, My VM is a single sign on so can cover quite a few services including Email, Billing, TV Anywhere, the Sky apps/website, Snapfish

Re: Interesting report on TheRegister today
 

Ooooops General. 256bit encryption is quite correct. I think we are crosswise on the thread.

If you phone VM the only password they will ask you for is the one you set up with them once you had gone through all the other security checks on ringing in, to make it easier for you.