General : Interesting report on TheRegister today

[Milambar]

Apparently some security company decompiled and audited VM's javascript code on the login pages. Theres a section that not only assesses password strength based on a number of metrics, but also applies a 'bad word' filter to the passwords, not allowing certain words, or words containing certain words.

http://www.theregister.co.uk/2014/09...rom_passwords/

The general consensus for applying any form of wordfilter from a password input is that the passwords are sent and stored in plaintext, and a CSR seeing a defamatory word might get upset.

I tend to agree with this point of view, I can't see any other reason for applying a wordlist filter on the use of 'bad words' on someones password that should be hashed and stored as a monodirectional hash.

Just wondering if anyone here has any comments on this report?

[qasdfdsaq]

Link doesn't work, probably censored by the forum software blocking part of the title :P
---------- Post added at 15:07 ---------- Previous post was at 15:05 ----------
Haha - found it. The list of blocked words is interesting to say the least, it does contain a lot of offensive/curse words but also blocks obvious words/phrases such as 'abc123' and 'password'

I do wonder how many are blocked by this forum...

Ahem [Edit] Dammit what is it with this forum deleting newlines.

---------- Post added at 15:20 ---------- Previous post was at 15:07 ----------

The reasoning behind it is curious though. At first glance it's implying that it is stored in plaintext and is expected someone may have to read or speak it at some point.

However the plaintext bit is not neccessarily true. Last time I was with VM, passwords were not case sensitive. And according to various forums, VM CSR do routinely ask for your password when telephoning.

In such a scenario, even if it is hashed the above system has merit. Say you phone up and they ask you for your password. They may not be able to see your password, but just enter what you say into a verification system that hashes it and compares it to the stored hash. Thus there's good reason to prevent you having a password of 'fart-rapist-pedo-spaz' in case CSR had to type it in at some point.

And the fact that it's done client side implies the server does not see or store a plaintext password. Although I'm pretty sure telewest have in the past stored plaintext passwords...

[Kushan]

Passwords are stored in plaintext, the agents can see your password on your account. There is no validation beyond what the agent thinks is "valid". If your password is "passw0rd1" and you tell the agent "It's pass word one", the agent might say that's ok or they might not. They should really be more careful than that but it's not a guarantee.

Do note however, your "account" password is not necessarily the same as your email password (which is stored properly and cannot been seen by agents, only reset).

[BenMcr]

Just to be clear the article on the The Register is talking about the My VM password, not the telephone account password / challenge.

[Kushan]

Ben - correct me if I'm wrong (it's been a while since I signed up to VM), but when you sign up for a new account, it asks for a username/password - isn't that the same password that's used on both MyVM and for the account challenge? They can be changed independently afterwards, but during that first signup I am vaguely sure it only asks you for one password.

[BenMcr]

Quote:

Originally Posted by Kushan

but when you sign up for a new account, it asks for a username/password - isn't that the same password that's used on both MyVM and for the account challenge?

No, they aren't the same - it asks for the account challenge when you sign up for services on the sales website, but the My VM account isn't created until you either activate broadband (where it's generally required) or choose to do so if you just have TV and / or Telco.

[DOT COTTON]

Quote:

Originally Posted by Kushan

Ben - correct me if I'm wrong (it's been a while since I signed up to VM), but when you sign up for a new account, it asks for a username/password - isn't that the same password that's used on both MyVM and for the account challenge? They can be changed independently afterwards, but during that first signup I am vaguely sure it only asks you for one password.

Could you please change that jumping cat, its bringin on one of me migranes

D

[qasdfdsaq]

Quote:

Originally Posted by DOT COTTON

Could you please change that jumping cat, its bringin on one of me migranes D

But it's a core part of what makes Kushan himself. Changing it would be like changing his entire personality. Please don't.

If you dislike the avatar that much you can just hide or block it.

[Kushan]

Quote:

Originally Posted by BenMcr

No, they aren't the same - it asks for the account challenge when you sign up for services on the sales website, but the My VM account isn't created until you either activate broadband (where it's generally required) or choose to do so if you just have TV and / or Telco.

Ahh, either it has changed since they revamped the site a few years ago (Would have signed up in about 2008) or I'm just not remembering it correctly, but I do remember thinking that it was odd that the agents could see my password that I used for some things (and don't worry, I've since changed said password and use a password manager these days).

Quote:

Originally Posted by DOT COTTON

Could you please change that jumping cat, its bringin on one of me migranes

D

The last time I tried changing the cat, it clawed my face off. Never again.

[DOT COTTON]

Quote:

Originally Posted by Kushan

The last time I tried changing the cat, it clawed my face off. Never again.

Oh I say!

[tweetiepooh]

Quote:

Originally Posted by Kushan

The last time I tried changing the cat, it clawed my face off. Never again.

Just show him this if he disagrees.

[Skie]

Back when myVM was overhauled a few of us raised concerns about the password requirements, they do seem pretty weird and some of them are hardly best practice when it comes to security.

[tweetiepooh]

I hate restrictive password rules, some are sensible but if too strict either people will write them down or you end up with lots of calls about password issues. This is especially true where password changes are enforced.

I use LastPass to generate passwords for lots of sites (not banking, no connection for these) so I don't know what they are, just random set of letters, numbers, symbols. Other tools also offer the same sort of function.

[Kushan]

I also use lastpass, absolutely love it. Made out like a bandit recently with their 12month + 6month subscription giveaway, before they nuked it.

Still, would highly recommend it, the free version is brilliant.

[pip08456]

Quote:

Originally Posted by Kushan

I also use lastpass, absolutely love it. Made out like a bandit recently with their 12month + 6month subscription giveaway, before they nuked it.

Still, would highly recommend it, the free version is brilliant.

Kush, I highly agree with you, Lastpass is brilliant. Going on what was said further up. Ben is correct, the password you set up with customer services is totally different to your MyVirgin account, IRRC you set it up after going through the security checks that you may have been used to.

Although passwords first entered onto websites are done so in plain text they are normally stored on the site (nowadays) in 256Mb encription. Quas will most likely confirm.

I am still trying to figure out the reason for the Original post??????