back to article Virgin Media blocks 'wankers' from permissible passwords

Virgin Media likes its fun-and-slightly-naughty image, but not, it seems, in its passwords. El Reg hadn't noticed until someone brought it to our attention, but the JavaScript plug-in the company uses for assessing password strength also censors passwords on the way in. Virgin's version of the plug-in is a 2009 update to the …

Anonymous Coward

If you are using offensive passwords to describe the service

perhaps you are better off not using the service at all !

1
8
Trollface

Re: If you are using offensive passwords to describe the service

I use the common euphemism for 'Wankers' for my account.....'R1cHaRdBrAn50n'.

1
4
Anonymous Coward

Re: If you are using offensive passwords to describe the service

How about this for a password on Virgin.....

Hymen.

4
0

Re: If you are using offensive passwords to describe the service

If you use it once, will it break?

My favourite password story comes from the very first network install I was involved with, about 25 years ago. Netware v2, and so wonderfully secure that when the admin changed the supervisor password to "fuckme", it did: it accepted the password change, then wouldn't let him log in again. He ended up nuking the install and starting again from scratch.

2
0
Anonymous Coward

Re: If you are using offensive passwords to describe the service

How about this for a password on Virgin.....

Hymen.

That's actually an OTP.

OK, I'll go and hide now.

8
0
Pint

Re: If you are using offensive passwords to describe the service

Roger's got you all sorted....

P.

0
0

finian

I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped.

As for blocking any passwords that contain those strings? I can only imagine the confusion caused by some of the shorter ones on that list. I can't use Gr33nigl00 for example.

Block lists aren't exactly a new thing, the more heinous crime is that Virgin constrain the password length to 8-10 characters.

13
0

"the more heinous crime is that Virgin constrain the password length to 8-10 characters."

Yes, but that's only part of the problem - worse is that they don't allow anything except numbers and letters. El Reg, can you "bite their hand" about this please?

12
0

Re: "the more heinous crime is that Virgin constrain the password length to 8-10 characters."

This is where it started...

http://ramblingrant.co.uk/virgin-media-youre-only-as-secure-as-your-weakest-link/

1
0

Re: finian

"the more heinous crime is that Virgin constrain the password length to 8-10 characters."

Which means they're probably not hashing them /o\

0
0
Silver badge

Re: finian

"I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped."

Whoever added that to the list is probably confusing it with fenian.

I say "confusing it with" because fenian is not itself on the list, so not only are they applying censorship to something nobody other than the person using the password should ever see anyway, but in this case they are censoring the wrong word. (For that matter, is Finian not a perfectly valid name? I'm sure I knew someone called that when I was kid - if not that, it was very close!)

0
0
WTF?

Re: finian

Must be a reference to Finian's Rainbow. Anything with Fred Astaire & Petula Clark as 'Irish' pursued by leprechauns

0
0
Anonymous Coward

Re: finian

> Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped.

Well, the fact that the correctly spelled version is *not* on the list should strengthen your hypothesis of a misspelling.

0
0
Happy

Oo-er missus...

I wonder if Scunthorpe is acceptable as a password.

3
0
Anonymous Coward

Re: Oo-er missus...

I wonder if Scunthorpe is acceptable as a password.

On the plus side, nobody can use "arsenal" :)

2
0
Silver badge

Re: Oo-er missus...

How would Nipissing fare ... and they even have a University

0
0
Silver badge

Bollocks won't be allowed on many systems

simply because the have a rule that blocks the 'll' in this word. Two consequitive character identical is a big no-no in many an AD setup.

Rather silly really because the hackers would have a better chance of getting a password hit because of this rule.

Anyone with even an elementary understanding of Cryptography would know this.

**

One of the flaws with the German Enigma machine was that no letter/number could be encrypted as itself. Not allowing 'll' is a mistake of the same order IMHO.

13
0
Anonymous Coward

Re: Bollocks won't be allowed on many systems

Really the Welsh should be in there complaining about discrimination, because ll is an actual letter in Welsh.

You are right about the cryptographic flaw in the Enigma; the second biggest flaw in the system was that the German high command put too much trust in their machines so, faced with an apparent leak of information, they went hunting for spies rather than looking to see if the machine could be hacked,

4
0

Re: Bollocks won't be allowed on many systems

But on reading the list in the link, I see "bolox" is on the banned list, as is "bollox".

So there is more to it than the double l.

Missing from the list is "bolocks", strangely enough.

1
0

Bollock, Bollocks

Sloppy javascript at it's finest.

If the list includes the word "bollock" and the regex match excludes all words containing the term, there is no need to include the word "bollocks", since it is excluded by default. Same for all variations of "f*ck", and "clit".

The list also appears to taken from an American script, because of the spelling of words such as "pedo".

Come on Virgin, get yourself some proper developers! - or, pass this on to your webdev agency.

1
0
Silver badge

Re: Bollock, Bollocks

> The list also appears to taken from an American script

As is usually the case with lists of "popular" passwords.

ISTM the simplest way to obtain an uncrackable password is just to use a non-english (or non-american) word. And if you can get some non-ASCII into it, you're gÖlden.

I'm pretty sure the same applies to "bad word" filters, too.

2
0
Headmaster

Re: Bollock, Bollocks

"Sloppy javascript at it's finest."

Sloppy punctuation at its finest :)

14
1
Silver badge

Re: uncrackable password

I've used Welsh passwords for years and never had any problems.

1
0
Silver badge

Re: Bollock, Bollocks

"Sloppy javascript at it's finest."

I'd imagine the java coder and the management type who compiled the list are 2 different people

0
0
Silver badge

Re: uncrackable password

Such as ilovemysheep?

1
0
Silver badge

Re: uncrackable password

Such as ilovemysheep?

And then the Saes eat them.

0
0
Silver badge
Pint

Re: uncrackable password

V1.0: Welsh...

You could probably use "cyfrinair" and get away with it.

0
0
Anonymous Coward

Re: uncrackable password

> I've used Welsh passwords for years and never had any problems.

How did you ever manage to type them twice the same way?

1
0

Re: Bollocks won't be allowed on many systems

@Arnaut the less

"the German high command put too much trust in their machines"

You mean there are still people around who do not learn form history!!!

Nothing has changed, has it.

0
0
Anonymous Coward

Its not just swear words, at a company i used to work at... (think it arm of company that does disability tests) they suddenly added permanent filters to all corporate laptops, which a lot of us used in the evenings when in our hotels to watch youtube and check email on gmail etc.

The following sites were blocked

Facebook

Twitter

Youtube

Linked In

Gmail

AOL

Yahoo

And the interesting thing is that even when not on the VPN they were blocked with the message

Access Denied - Access only for Top Management.

0
0
Anonymous Coward

"at a company i used to work at"

Clearly a company that thought, and with good reason, that it might have less than happy employees, and was trying to prevent them from using anything that might help them get another job.

0
0

PC gone mad

"think it arm of company that does disability tests"

Is "arm" really the best word to use in same sentence as doing "disability tests"? Or is that why it's a company you used to work at?

0
0
Anonymous Coward

Re: "at a company i used to work at"

Clearly a company that thought, and with good reason, that it might have less than happy employees, and was trying to prevent them from using anything that might help them get another job.

... or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder.

A company is not always evil because it stops you from doing something stupid that could cost you your job. The really clever ones have internal Internet cafes on systems which are isolated from the main network, that way people can still get their fix without linking to the trust environment. I know one setup that even locks personal mobiles away, but they do handle rather sensitive information.

3
2
Anonymous Coward

Re: "at a company i used to work at"

"or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder"

So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?

7
1
Silver badge

There are many corporate proxies/firewalls out there that will simply give empty responses for URIs with what they consider unacceptable words in them.

One system I worked on generated SAML SSO messages, which have base64 encoded encrypted XML in the URI (SAML is fun like that), and some clients inconsistently would tell us that the site was broken or they had to log in twice, things like that. We eventually tracked down that the failing URIs worked correctly on our side, and noticed that the URLs had things like "c0ck" in them..

One fun afternoon later we had derived a list of the most common swearwords, and now the URIs are generated in a loop until we get a URI without an unintended swear word - its the same XML message each time through the loop, but with a new session encryption key, so the URI changes.

We have clients globally, it seemed only US orgs go for this level of nannying.

1
0
Anonymous Coward

Re: "at a company i used to work at"

So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?

Maybe I'm fortunate, but in the places I have worked it usually was a policy *instigated* by senior management (usually after the corporate lawyers explained the consequences of not doing it).

I agree that this is not exactly common practice, though :(

0
1
Silver badge

Re: "at a company i used to work at"

I believe its entirely possible that I've not long finished working for that company, and yes, they did encrypt everything. I don't recall a message about "top management" however, but they were certainly big enough tossers to do something like that.

It was clear, each and every day, that they trusted management, demanded results without resources and wanted to reduce technical headcount constantly.

A**s....sorry, *they* were deeply stupid as a company and that probably explains why they've been losing contracts hand over fist of late and are not long for the UK market.

1
0
Silver badge
Pint

on Corporate laptops

I knew a guy that had his own HDD to slip into the corporate laptop. Made it his own after working hours.

1
0
Anonymous Coward

A to S dont block that anymore.

0
0
Gold badge

Merde!

Passwords should only be seen by the person who created them. The fact that Virgin cares about profane passwords (though only English profanities) suggests they are storing them in the clear for the use of their own support staff.

24
2
Silver badge

Re: Merde!

Not even seen by the creator, I think? They're always entered into a password box and asterisked out, no? The only person who would see this list is the person who wrote it, and anyone ferreting around in the script code...

And if they're blocking them as partial words (I haven't checked the code) then that's everything from 'niggardly' to 'extravagant' banned, then.

1
0
Silver badge

Re: Merde!

> Passwords should only be seen by the person who created them

Maybe if the requirement was reversed: so that only phrases that were deeply personally derogatory were allowed: e.g. "I'm a pheasant plucker" (or words to that effect), then at least it would stop individuals freely handing out their passwords to all and sundry.

4
0

Re: Merde!

The "show password" tick-box is increasing in popularity.

0
0
Silver badge
Trollface

Re: Merde!

Or the help desk has been moved to the Caliphate.

"Yes this is Aziz from ISIS, how can I scalp you?"

1
1

Re: Merde!

The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin.

0
0
Anonymous Coward

Re: Merde!

> The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin.

Then why bother filtering it at all? If the profanity is never going to leave the client side then who can possibly be offended?

5
0
Silver badge

Re: Merde!

having just read the security consultants blog linked above , im pretty sure they arnt hashed , or if they are the staff have a skeleton key , which renders it pointless, and they do read out passwords back over the phone to customers (some reports say)

0
0

Re: Merde!

The filter is applied both in javascript at the client and on the server.

It's certainly not hashed at the client prior to sending though, and it's looking more doubtful it's hashed on the server either.

1
0
FAIL

Re: Merde!

Exactly - it's almost as if they're worried that an unencrypted list of passwords may be leaked, or that perhaps an employee might be asked to read out a user's password over the phone...

4
0
Silver badge

Re: Merde!

"The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin."

What? Are you saying VM are installing software full of abusive terms on customers PCs in the clear?

So any VM customer who has their computer "examined" by the police "on suspicion of xxx" will always get charged with something, eg hate speech

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018