|
Interesting report on TheRegister today
Apparently some security company decompiled and audited VM's javascript code on the login pages. Theres a section that not only assesses password strength based on a number of metrics, but also applies a 'bad word' filter to the passwords, not allowing certain words, or words containing certain words.
http://www.theregister.co.uk/2014/09...rom_passwords/ The general consensus for applying any form of wordfilter from a password input is that the passwords are sent and stored in plaintext, and a CSR seeing a defamatory word might get upset. I tend to agree with this point of view, I can't see any other reason for applying a wordlist filter on the use of 'bad words' on someones password that should be hashed and stored as a monodirectional hash. Just wondering if anyone here has any comments on this report? |
Re: Interesting report on TheRegister today
Link doesn't work, probably censored by the forum software blocking part of the title :P
---------- Post added at 15:07 ---------- Previous post was at 15:05 ---------- Haha - found it. The list of blocked words is interesting to say the least, it does contain a lot of offensive/curse words but also blocks obvious words/phrases such as 'abc123' and 'password' I do wonder how many are blocked by this forum... Ahem [Edit] Dammit what is it with this forum deleting newlines. ---------- Post added at 15:20 ---------- Previous post was at 15:07 ---------- The reasoning behind it is curious though. At first glance it's implying that it is stored in plaintext and is expected someone may have to read or speak it at some point. However the plaintext bit is not neccessarily true. Last time I was with VM, passwords were not case sensitive. And according to various forums, VM CSR do routinely ask for your password when telephoning. In such a scenario, even if it is hashed the above system has merit. Say you phone up and they ask you for your password. They may not be able to see your password, but just enter what you say into a verification system that hashes it and compares it to the stored hash. Thus there's good reason to prevent you having a password of 'fart-rapist-pedo-spaz' in case CSR had to type it in at some point. And the fact that it's done client side implies the server does not see or store a plaintext password. Although I'm pretty sure telewest have in the past stored plaintext passwords... |
Re: Interesting report on TheRegister today
Passwords are stored in plaintext, the agents can see your password on your account. There is no validation beyond what the agent thinks is "valid". If your password is "passw0rd1" and you tell the agent "It's pass word one", the agent might say that's ok or they might not. They should really be more careful than that but it's not a guarantee.
Do note however, your "account" password is not necessarily the same as your email password (which is stored properly and cannot been seen by agents, only reset). |
Re: Interesting report on TheRegister today
Just to be clear the article on the The Register is talking about the My VM password, not the telephone account password / challenge.
|
Re: Interesting report on TheRegister today
Ben - correct me if I'm wrong (it's been a while since I signed up to VM), but when you sign up for a new account, it asks for a username/password - isn't that the same password that's used on both MyVM and for the account challenge? They can be changed independently afterwards, but during that first signup I am vaguely sure it only asks you for one password.
|
Re: Interesting report on TheRegister today
Quote:
|
Re: Interesting report on TheRegister today
Quote:
D |
Re: Interesting report on TheRegister today
Quote:
If you dislike the avatar that much you can just hide or block it. |
Re: Interesting report on TheRegister today
Quote:
Quote:
|
Re: Interesting report on TheRegister today
Quote:
|
Re: Interesting report on TheRegister today
Quote:
|
Re: Interesting report on TheRegister today
Back when myVM was overhauled a few of us raised concerns about the password requirements, they do seem pretty weird and some of them are hardly best practice when it comes to security.
|
Re: Interesting report on TheRegister today
I hate restrictive password rules, some are sensible but if too strict either people will write them down or you end up with lots of calls about password issues. This is especially true where password changes are enforced.
I use LastPass to generate passwords for lots of sites (not banking, no connection for these) so I don't know what they are, just random set of letters, numbers, symbols. Other tools also offer the same sort of function. |
Re: Interesting report on TheRegister today
I also use lastpass, absolutely love it. Made out like a bandit recently with their 12month + 6month subscription giveaway, before they nuked it.
Still, would highly recommend it, the free version is brilliant. |
Re: Interesting report on TheRegister today
Quote:
Although passwords first entered onto websites are done so in plain text they are normally stored on the site (nowadays) in 256Mb encription. Quas will most likely confirm. I am still trying to figure out the reason for the Original post?????? |
| All times are GMT +1. The time now is 08:33. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
All Posts and Content are © Cable Forum