back to article Virgin Media blocks 'wankers' from permissible passwords

Virgin Media likes its fun-and-slightly-naughty image, but not, it seems, in its passwords. El Reg hadn't noticed until someone brought it to our attention, but the JavaScript plug-in the company uses for assessing password strength also censors passwords on the way in. Virgin's version of the plug-in is a 2009 update to the …

  1. Anonymous Coward
    Anonymous Coward

    If you are using offensive passwords to describe the service

    perhaps you are better off not using the service at all !

    1. i like crisps
      Trollface

      Re: If you are using offensive passwords to describe the service

      I use the common euphemism for 'Wankers' for my account.....'R1cHaRdBrAn50n'.

    2. Anonymous Coward
      Anonymous Coward

      Re: If you are using offensive passwords to describe the service

      How about this for a password on Virgin.....

      Hymen.

      1. philbo

        Re: If you are using offensive passwords to describe the service

        If you use it once, will it break?

        My favourite password story comes from the very first network install I was involved with, about 25 years ago. Netware v2, and so wonderfully secure that when the admin changed the supervisor password to "fuckme", it did: it accepted the password change, then wouldn't let him log in again. He ended up nuking the install and starting again from scratch.

      2. Anonymous Coward
        Anonymous Coward

        Re: If you are using offensive passwords to describe the service

        How about this for a password on Virgin.....

        Hymen.

        That's actually an OTP.

        OK, I'll go and hide now.

    3. phil dude
      Pint

      Re: If you are using offensive passwords to describe the service

      Roger's got you all sorted....

      P.

  2. Studley

    finian

    I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped.

    As for blocking any passwords that contain those strings? I can only imagine the confusion caused by some of the shorter ones on that list. I can't use Gr33nigl00 for example.

    Block lists aren't exactly a new thing, the more heinous crime is that Virgin constrain the password length to 8-10 characters.

    1. handle

      "the more heinous crime is that Virgin constrain the password length to 8-10 characters."

      Yes, but that's only part of the problem - worse is that they don't allow anything except numbers and letters. El Reg, can you "bite their hand" about this please?

      1. RamblingRant

        Re: "the more heinous crime is that Virgin constrain the password length to 8-10 characters."

        This is where it started...

        http://ramblingrant.co.uk/virgin-media-youre-only-as-secure-as-your-weakest-link/

    2. Ralara

      Re: finian

      "the more heinous crime is that Virgin constrain the password length to 8-10 characters."

      Which means they're probably not hashing them /o\

    3. VinceH Silver badge

      Re: finian

      "I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped."

      Whoever added that to the list is probably confusing it with fenian.

      I say "confusing it with" because fenian is not itself on the list, so not only are they applying censorship to something nobody other than the person using the password should ever see anyway, but in this case they are censoring the wrong word. (For that matter, is Finian not a perfectly valid name? I'm sure I knew someone called that when I was kid - if not that, it was very close!)

    4. tony2heads
      WTF?

      Re: finian

      Must be a reference to Finian's Rainbow. Anything with Fred Astaire & Petula Clark as 'Irish' pursued by leprechauns

    5. Anonymous Coward
      Anonymous Coward

      Re: finian

      > Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped.

      Well, the fact that the correctly spelled version is *not* on the list should strengthen your hypothesis of a misspelling.

  3. Ketlan
    Happy

    Oo-er missus...

    I wonder if Scunthorpe is acceptable as a password.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oo-er missus...

      I wonder if Scunthorpe is acceptable as a password.

      On the plus side, nobody can use "arsenal" :)

      1. Version 1.0 Silver badge

        Re: Oo-er missus...

        How would Nipissing fare ... and they even have a University

  4. Steve Davies 3 Silver badge

    Bollocks won't be allowed on many systems

    simply because the have a rule that blocks the 'll' in this word. Two consequitive character identical is a big no-no in many an AD setup.

    Rather silly really because the hackers would have a better chance of getting a password hit because of this rule.

    Anyone with even an elementary understanding of Cryptography would know this.

    **

    One of the flaws with the German Enigma machine was that no letter/number could be encrypted as itself. Not allowing 'll' is a mistake of the same order IMHO.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bollocks won't be allowed on many systems

      Really the Welsh should be in there complaining about discrimination, because ll is an actual letter in Welsh.

      You are right about the cryptographic flaw in the Enigma; the second biggest flaw in the system was that the German high command put too much trust in their machines so, faced with an apparent leak of information, they went hunting for spies rather than looking to see if the machine could be hacked,

      1. Nigel The Pigeon

        Bollock, Bollocks

        Sloppy javascript at it's finest.

        If the list includes the word "bollock" and the regex match excludes all words containing the term, there is no need to include the word "bollocks", since it is excluded by default. Same for all variations of "f*ck", and "clit".

        The list also appears to taken from an American script, because of the spelling of words such as "pedo".

        Come on Virgin, get yourself some proper developers! - or, pass this on to your webdev agency.

        1. Pete 2 Silver badge

          Re: Bollock, Bollocks

          > The list also appears to taken from an American script

          As is usually the case with lists of "popular" passwords.

          ISTM the simplest way to obtain an uncrackable password is just to use a non-english (or non-american) word. And if you can get some non-ASCII into it, you're gÖlden.

          I'm pretty sure the same applies to "bad word" filters, too.

          1. Version 1.0 Silver badge

            Re: uncrackable password

            I've used Welsh passwords for years and never had any problems.

            1. Trigonoceps occipitalis

              Re: uncrackable password

              Such as ilovemysheep?

              1. BongoJoe

                Re: uncrackable password

                Such as ilovemysheep?

                And then the Saes eat them.

            2. JeffyPoooh Silver badge
              Pint

              Re: uncrackable password

              V1.0: Welsh...

              You could probably use "cyfrinair" and get away with it.

            3. Anonymous Coward
              Anonymous Coward

              Re: uncrackable password

              > I've used Welsh passwords for years and never had any problems.

              How did you ever manage to type them twice the same way?

        2. Wilseus
          Headmaster

          Re: Bollock, Bollocks

          "Sloppy javascript at it's finest."

          Sloppy punctuation at its finest :)

          1. mark 63 Silver badge

            Re: Bollock, Bollocks

            "Sloppy javascript at it's finest."

            I'd imagine the java coder and the management type who compiled the list are 2 different people

      2. kiwimuso

        Re: Bollocks won't be allowed on many systems

        @Arnaut the less

        "the German high command put too much trust in their machines"

        You mean there are still people around who do not learn form history!!!

        Nothing has changed, has it.

    2. glen waverley

      Re: Bollocks won't be allowed on many systems

      But on reading the list in the link, I see "bolox" is on the banned list, as is "bollox".

      So there is more to it than the double l.

      Missing from the list is "bolocks", strangely enough.

  5. Anonymous Coward
    Anonymous Coward

    Its not just swear words, at a company i used to work at... (think it arm of company that does disability tests) they suddenly added permanent filters to all corporate laptops, which a lot of us used in the evenings when in our hotels to watch youtube and check email on gmail etc.

    The following sites were blocked

    Facebook

    Twitter

    Youtube

    Linked In

    Gmail

    AOL

    Yahoo

    And the interesting thing is that even when not on the VPN they were blocked with the message

    Access Denied - Access only for Top Management.

    1. Anonymous Coward
      Anonymous Coward

      "at a company i used to work at"

      Clearly a company that thought, and with good reason, that it might have less than happy employees, and was trying to prevent them from using anything that might help them get another job.

      1. Anonymous Coward
        Anonymous Coward

        Re: "at a company i used to work at"

        Clearly a company that thought, and with good reason, that it might have less than happy employees, and was trying to prevent them from using anything that might help them get another job.

        ... or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder.

        A company is not always evil because it stops you from doing something stupid that could cost you your job. The really clever ones have internal Internet cafes on systems which are isolated from the main network, that way people can still get their fix without linking to the trust environment. I know one setup that even locks personal mobiles away, but they do handle rather sensitive information.

        1. Anonymous Coward
          Anonymous Coward

          Re: "at a company i used to work at"

          "or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder"

          So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?

          1. Anonymous Coward
            Anonymous Coward

            Re: "at a company i used to work at"

            So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?

            Maybe I'm fortunate, but in the places I have worked it usually was a policy *instigated* by senior management (usually after the corporate lawyers explained the consequences of not doing it).

            I agree that this is not exactly common practice, though :(

            1. Bernard M. Orwell Silver badge

              Re: "at a company i used to work at"

              I believe its entirely possible that I've not long finished working for that company, and yes, they did encrypt everything. I don't recall a message about "top management" however, but they were certainly big enough tossers to do something like that.

              It was clear, each and every day, that they trusted management, demanded results without resources and wanted to reduce technical headcount constantly.

              A**s....sorry, *they* were deeply stupid as a company and that probably explains why they've been losing contracts hand over fist of late and are not long for the UK market.

    2. glen waverley

      PC gone mad

      "think it arm of company that does disability tests"

      Is "arm" really the best word to use in same sentence as doing "disability tests"? Or is that why it's a company you used to work at?

    3. Tom 38 Silver badge

      There are many corporate proxies/firewalls out there that will simply give empty responses for URIs with what they consider unacceptable words in them.

      One system I worked on generated SAML SSO messages, which have base64 encoded encrypted XML in the URI (SAML is fun like that), and some clients inconsistently would tell us that the site was broken or they had to log in twice, things like that. We eventually tracked down that the failing URIs worked correctly on our side, and noticed that the URLs had things like "c0ck" in them..

      One fun afternoon later we had derived a list of the most common swearwords, and now the URIs are generated in a loop until we get a URI without an unintended swear word - its the same XML message each time through the loop, but with a new session encryption key, so the URI changes.

      We have clients globally, it seemed only US orgs go for this level of nannying.

    4. JeffyPoooh Silver badge
      Pint

      on Corporate laptops

      I knew a guy that had his own HDD to slip into the corporate laptop. Made it his own after working hours.

    5. Anonymous Coward
      Anonymous Coward

      A to S dont block that anymore.

  6. Ken Hagan Gold badge

    Merde!

    Passwords should only be seen by the person who created them. The fact that Virgin cares about profane passwords (though only English profanities) suggests they are storing them in the clear for the use of their own support staff.

    1. Neil Barnes Silver badge

      Re: Merde!

      Not even seen by the creator, I think? They're always entered into a password box and asterisked out, no? The only person who would see this list is the person who wrote it, and anyone ferreting around in the script code...

      And if they're blocking them as partial words (I haven't checked the code) then that's everything from 'niggardly' to 'extravagant' banned, then.

      1. handle

        Re: Merde!

        The "show password" tick-box is increasing in popularity.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Merde!

          Or the help desk has been moved to the Caliphate.

          "Yes this is Aziz from ISIS, how can I scalp you?"

    2. Pete 2 Silver badge

      Re: Merde!

      > Passwords should only be seen by the person who created them

      Maybe if the requirement was reversed: so that only phrases that were deeply personally derogatory were allowed: e.g. "I'm a pheasant plucker" (or words to that effect), then at least it would stop individuals freely handing out their passwords to all and sundry.

    3. hazzamon

      Re: Merde!

      The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin.

      1. Anonymous Coward
        Anonymous Coward

        Re: Merde!

        > The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin.

        Then why bother filtering it at all? If the profanity is never going to leave the client side then who can possibly be offended?

        1. mark 63 Silver badge

          Re: Merde!

          having just read the security consultants blog linked above , im pretty sure they arnt hashed , or if they are the staff have a skeleton key , which renders it pointless, and they do read out passwords back over the phone to customers (some reports say)

      2. RamblingRant

        Re: Merde!

        The filter is applied both in javascript at the client and on the server.

        It's certainly not hashed at the client prior to sending though, and it's looking more doubtful it's hashed on the server either.

      3. John Brown (no body) Silver badge

        Re: Merde!

        "The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin."

        What? Are you saying VM are installing software full of abusive terms on customers PCs in the clear?

        So any VM customer who has their computer "examined" by the police "on suspicion of xxx" will always get charged with something, eg hate speech

    4. Joefish
      FAIL

      Re: Merde!

      Exactly - it's almost as if they're worried that an unencrypted list of passwords may be leaked, or that perhaps an employee might be asked to read out a user's password over the phone...

  7. Martin-R

    VM does have a call centre password which the staff obviously have some access to; this is separate to the password you use to login to their website.

    1. EddieD

      About 10 years ago, as Blueyonder, one of their call center staff let slip that they could access our main password - i.e. the one we used for e-mail, their website etc.

      I promptly complained to the management that this was extremely poor practice and received a reply agreeing with me and saying that they would modify their policies, whether they did or not, I don't know.

      Since then I've not trusted them, and I've not used the email service for anything remotely important

      1. Tom_

        Yeah, new policy: don't tell customers you can see their passwords.

    2. Anonymous Coward
      Anonymous Coward

      VM does have a call centre password which the staff obviously have some access to; this is separate to the password you use to login to their website.

      I got caught out by this on Demon. When I set the account up they asked for a memorable phrase. Several years later I called their helpline in India, and got asked for my memorable phrase. I'd assumed I'd only ever get to enter this on a web form, or be asked for a couple of randomised letters ("can you give me the first and fifth letters of your memorable phrase" kind of thing). So I gritted my teeth and told the helpline bloke that my phrase was "furry fish mitten". Thankfully he didn't ask what it meant.

  8. Ralph B

    Odd List

    I may be an innocent, but why is "finian" on the list? It might sound a bit like "fenian" but that isn't on the list.

    Why is "pedofilia" listed but not "pedophilia" or ""paedophilia"? Are Virgin Media just wanting to block illiterate perverts?

    Banning "cnut" is a bit rough on students of Norse history, but I can understand why they might have done so. Similarly "flange" for DIY fans. I understand (from Urban Dictionary) that it's occasionally used as a euphemism for lady's parts, but by that argument "ladysparts" (and a thousand other euphemisms) should also be on the list, and it isn't.

    This list misses a whole bunch of swear words including one of the famous Seven Dirty Words.

    Odd.

    1. Anonymous Coward
      Anonymous Coward

      Re: Odd List

      A more pressing concern than the odd list is that the w@nkers at VM actually have the time, desire and resources to censor user data that even their own employees shouldn't be able to see.

      With several recent performance f*ck ups, and continuous upward price creep over recent years I'd rather they sacked the disciple of Mary Whitehouse who instigated this policy and put their effort into keeping prices down and services working.

    2. Anonymous Coward
      Anonymous Coward

      Re: Odd List

      Of course they left of one of the Seven Dirty Words... Everybody likes Tits

      1. Nigel 11
        Coat

        Re: Odd List

        Black, Blue, Great or Long-Tailed?

        1. Omgwtfbbqtime Silver badge

          Re: Odd List

          Dont forget:

          Tits like coconuts.

          1. Chika
            Paris Hilton

            Re: Odd List

            Dont forget:

            Tits like coconuts.

            Is this a Paris Hilton comment?

  9. swissrobin

    TalkTalk allow you to set your telephone password on the website (you need to know the bank account number you pay the DD from and the telephone number they provide ADSL on). I wonder if the virgin case being discussed here is the same thing - clearly they have to be able to retireve the password in plain text if the call centre are going to ask you for it.

    Handy on the occasion I had to use it, but clearly if you chuck your bank statements and telephone bills in the bin then anybody else could have this information too (not that I care, but those of a tin foil hat persuasion might).

    I did wonder at the time whether I should make the password "IWantAMAC", or a ruder equivalent, prior to calling them for a MAC :-)

  10. Anonymous Coward
    Anonymous Coward

    Presumably

    W@Nk3R2 would be allowed?

    1. Steven Raith

      Re: Presumably

      Or perhaps:

      FvcKsT1ck5

      ?

  11. Destroy All Monsters Silver badge
    Childcatcher

    I fully applaud....

    ...this strenous effort to ban badness from the input of poor, innocent salters and hashers!

    (Neuroticism is not a joke!)

  12. Anonymous Coward
    Anonymous Coward

    Racial slurs

    So the N-word, p*ki and w*g are disallowed, but ch*nk is perfectly fine, because, as we know, all racial slurs are not created equally.

    1. Steven Raith

      Re: Racial slurs

      Chink is still used commonly to describe a small opening, a chink in the armour, etc - it's use is not purely for offensive purposes against the Chinese.

      Can't say the same for the others.

      Chink still has a legitimate use in language - the others do not (and lets be honest, never really have), other than to offend.

      Steven R

      1. Vic

        Re: Racial slurs

        Chink still has a legitimate use in language - the others do not (and lets be honest, never really have), other than to offend.

        On the contrary - the term "wog" was originally intended as a compliment - it was a statement that the person in question had achieved the lofty state of "westernised", despite his oriental origins.

        Now, of course, the attitude that "western" is somehow better is obviously crap in and of itself - but it was prevalent at the time. The term "wog" was simply an arrogant and self-important society saying that someone from without their ranks had become one of them.

        The meaning did change over time, of course...

        Vic.

        1. Anonymous Coward
          Anonymous Coward

          Re: Racial slurs

          https://upload.wikimedia.org/wikipedia/commons/e/ed/Bren_wog.jpg

      2. Anonymous Coward
        Anonymous Coward

        Re: Racial slurs

        > .. never really have), other than to offend.

        The n word as an offensive worse came from America, I'm just old enough to remember the nursery rhyme that got Clarkson into some bother recently, and I can quite sympathise with it being programmed into your head at an early age. It was just a remnant of an earlier time, when (in England) it was just an ordinary word, people used to name their pets it, hardly something you would do if it were offensive.

        Words change. (Listen to the flinstones theme song for proof.) I suspect in 50 years time people will find the banned words list very strange.

        1. Anonymous Coward
          Anonymous Coward

          Re: Racial slurs

          It was just a remnant of an earlier time, when (in England) it was just an ordinary word, people used to name their pets it, hardly something you would do if it were offensive.

          Like Guy Gibson's dog, which will tactfully be renamed "Digger" in the remake of The Dam Busters!

          :-D

          http://en.wikipedia.org/wiki/The_Dam_Busters_%28film%29#Remake

  13. Gomez Adams

    Why are they even looking at the passwords in plain text?

    Surely this is bad practise and a security issue?

    1. handle

      Re: Why are they even looking at the passwords in plain text?

      "They" appears to be a computer program. Implementing this stupid feature does not prove that anyone actually looked at the passwords beforehand.

  14. AndrueC Silver badge
    Thumb Up

    I used to play a game called Earth and Beyond that had a rather daft filter. It would filter things regardless of white space. As a result the most innocuous of sentences in chat channels would get censored eg - 'It watched me' became 'I* ***ched me' resulting in minutes of fun while everyone in the channel discussed what the censored word might be. Even better it included foreign swear words so for a while I knew a few Dutch, French and German swear words.

    Very educational :)

    1. John H Woods Silver badge

      PSN Home was even worse when it started ...

      Hello = ****o

      Indian = *******

      Yes, that's right, a whole continent of people were forbidden to state their nationality, because the word might offend some Native Americans. Although, weirdly, the only Native American I've ever met referred to herself as (Sioux) Indian.

      It was still possible to call people vvankers though, it just needed two Vs.

      1. Neil Barnes Silver badge

        Re: PSN Home was even worse when it started ...

        >> It was still possible to call people vvankers though, it just needed two Vs.

        Hence the old saying "I vvant to be alone..." ?

      2. Version 1.0 Silver badge

        Re: Indian?

        Every North American native that I know uses their tribal name - only whitey (is that allowed) calls them Indians.

  15. Anonymous Coward
    Anonymous Coward

    The Lord of the Rings Online MMO

    considers the word "admin" a profanity and changes it to %£!&.

    In fact the blocking in LOTRO is so harsh you cant actually hold a normal conversation let alone a naughty one. Much as I like the concept of reducing the overhead of fleshy moderators it can get to a point where the service is useless and hazardous

    In another case on the same game, someone had registered a character name that was clearly from the more experimental people in the bedroom department, but it could not be reported as the service to report the problem would not allow the inclusion of the character name involved. Using two different word lists makes the problem even worse, and indeed unreportable!

    1. Destroy All Monsters Silver badge

      Re: The Lord of the Rings Online MMO

      What no script to BASE64 encode/decode on the fly?

  16. david bates

    Plus.net store passwords in the clear... And will email them out to you on request. Apparently this is fine as the database is not internet facing and would require a member of staff to durable your password. Or something equally unconvincing.

    1. Vic

      Plus.net store passwords in the clear

      So does Eclipse :-(

      Vic.

  17. Crisp Silver badge
    Boffin

    Interesting list.

    Nigger is in there, but Nigga is not. The list apparently penalises spelling.

    And since when was clitoris a dirty word?

    1. Simon Harris Silver badge

      Re: Interesting list.

      Depends on one's personal hygiene.

    2. Mike Smith

      Re: Interesting list.

      "since when was clitoris a dirty word?"

      Since Puritanism gained a foothold in America.

  18. Sequin

    They have missed off the rudest swear word in the world - FITBIN!

  19. Fihart

    Political Correctness Gone Mad (again) !

    Surely the point of a password is that no-one sees it apart from its creator.

    Or is this to spare the blushes of Virgin's staff if they pry on customers' accounts ?

  20. Allan George Dyer Silver badge
    Coat

    Belgium, man, BELGIUM!

    1. WonkoTheSane

      Steady on, there's no need for language like that, old chum!

      1. Chika

        Don't worry. He's just being a ghent.

    2. Anonymous Coward
      Anonymous Coward

      Hey, that's not fair. What did Belgium ever do to offend the world?

      Well, apart from that minor unpleasantness involving their King Leopold II, the enslavement of the natives of the Congro Free State in the late 19th century for reasons of pure greed and the horrendous atrocities committed against countless numbers of them (e.g. hands being cut off if they failed to meet punishingly difficult quotas)... and including anything between two and fifteen million deaths.

      http://en.wikipedia.org/wiki/Congo_Free_State

      The only way the "wa, wa, wa... it was the *king* himself, not the state/people" apologists would have had any moral legitimacy would have been if the Belgian people- seeing what had been done in their name- had strung the King up and abolished the monarchy. Oddly enough, they don't seem to have done that- the descendants of this mass-murderer are still venerated by the Belgian people, and they don't like being reminded what their ancestors did.

      They've still got a monument celebrating him, for ****'s sake:- http://commons.wikimedia.org/wiki/File:Monument_%C3%A0_L%C3%A9opold_II.jpg

      1. Omgwtfbbqtime Silver badge
        Facepalm

        Look up quickly - nope its gone.

        It's a H2G2 reference.

  21. Elmer Phud Silver badge

    It's only words . . .

    While working for a large and well-known telecomms company there was a company-wide block on any 'swearwords' used for passwords.

    This missive can only have come from clueless management as some of my passwords changed to ones that were not blocked:

    B01lck5

    Phuque0rf

    were a couple of favourites used in response to the emails.

  22. Tweetiepooh
    Alien

    Just wondering

    is "belgium" in the list. Really sorry to use that word but I just lost my towel.

  23. Alan Brown Silver badge

    Wot a bunch of onanists.

    And seriously, if passwords are held in plaintext, there are a few bollox which need chopping off.

  24. Anonymous Coward
    Anonymous Coward

    Optimisation missing

    This programmer isn't very good. Since it's doing substring matching there's no need to include both "poof" and "poofter", "shit" and "shite" etc. (Incidentally there are several three-letter strings there which will also match all sorts of innocuous stuff)

    As for *why* they're doing this, clearly VM are storing the plaintext password in their systems. The callcentres will have visibility of this and may either (a) ask the customer to confirm their password on the phone, or (b) they will tell the customer what their password is if they've forgotten it.

    This is of course pants, but I know other ISPs which do this.

    They *should* be storing a salted hash, and if the customer has forgotten their password, the callcentre operator should only be able to reset it to a new one.

    Aside: ADSL authentication on the BT wholesale network uses CHAP and this requires the plaintext password to be stored in the authentication server. But (a) VM aren't doing ADSL as far as I know, and (b) in any case they don't need to make the passwords visible to callcentre agents, which in turn means no need for the filter.

    1. Anonymous Coward
      Anonymous Coward

      Re: Optimisation missing

      > They *should* be storing a salted hash, and if the customer has forgotten their password, the callcentre operator should only be able to reset it to a new one.

      Thanks for that inciteful advice *facepalm*

    2. Kubla Cant Silver badge

      Re: Optimisation missing

      BT Internet seems to store plaintext passwords, too, to judge from a conversation I recently had with a support drone.

      @AC Thanks for that inciteful advice *facepalm*

      Do you mean "insightful"? Or perhaps "incisive"? You can't have both at once. Perhaps if you took your palm away from your face you could see what you're typing.

    3. VinceH Silver badge

      Re: Optimisation missing

      "Since it's doing substring matching there's no need to include both "poof" and "poofter", "shit" and "shite" etc. (Incidentally there are several three-letter strings there which will also match all sorts of innocuous stuff)"

      Actually, El Reg's report has that a little wrong. In the article, they've said:

      "And while we're forced to agree that “bollocks” is far too weak a word to use as a password, the code is clear that you can't even use bollocks within a password: if (password.match(/\s+/g,'')) then you'll get marked down."

      Well, that quoted line:

      if (password.match(/\s+/g,''))

      Is actually checking for whitespace.

      The list of naughty words is done next, by first putting them in an array (badpassarray) and then turning that array into a single string, with each word separated by a vertical bar:

      var re = new RegExp(badPassArray.join("|"), "i");

      It's then using this:

      return(pwd.match(re) != null);

      To return true if the password is contained in the list, false if it isn't.

      (So it is checking for substrings, but in exactly the opposite way that the report says. AFAICS. So 'scunthorpe' is a perfectly acceptable password to that bunch of silly scunthorpes at Virgin Media.)

    4. John Brown (no body) Silver badge

      Re: Optimisation missing

      "(a) VM aren't doing ADSL as far as I know"

      They do. IIRC, it's call Virgin National or something like that.

  25. Anonymous Coward
    Anonymous Coward

    Re "odd list"

    "Virgin blocks flange" would be up there with the greatest newspaper headlines of all time. How about it Murdoch/Sun?

    1. Anonymous Coward
      Anonymous Coward

      Re: Re "odd list"

      Am I the only person who thinks The Sun's reputation for supposedly witty headlines (even among those who aren't fans otherwise) is massively overrated?

      Yeah, some of the "classics" that get regularly cited have been moderately clever or amusing, but when funny headlines is your day-in, day-out stock-in-trade, any half-competent writer is going to come up with a few half-decent ones over 20 or 30 years, if only because of sheer numbers.

    2. TheVogon Silver badge

      Re: Re "odd list"

      ""Virgin blocks flange" would be up there with the greatest newspaper headlines of all time. How about it Murdoch/Sun?"

      Virgin Cock Block, surely.....

  26. Anonymous Coward
    Anonymous Coward

    er...

    ...client-side validation? What's the betting it's not validated server-side?

    1. RamblingRant

      Re: er...

      It is checked server side too.

  27. heyrick Silver badge

    Ummm...

    If it is the client side scripting doing this, doesn't that imply that those with friendlier browsers can easily rewrite some of the rules and use whatever damn password that they want without this dumb nannying? Passwords should be known to the one using them and nobody else.

  28. davemcwish

    Cockwomble

    Is also not allowed due to it not being the requsite 9 characters long - as is the XKCD example.

  29. Chika
    Happy

    Inventing swear words...

    Of course, the chakking noobs involved in this whole wolsh can never hope to keep up with all the new blit coming out all the time. It's all a total gratting waste of time.

    Bloit you, Oxhorn!

  30. Graham Triggs

    Hmmm....

    The only reason for banning anything from passwords should be based on technical capabilities of storing them. They should be stored as hashes from which you can't derive the original text, comparisons only ever being of the hash.

    If you are ever worried about what the contents might be, then you are saying that the password list can be decrypted, which is very bad.

  31. Lord Lien

    On the subject of wankers........

    https://www.youtube.com/watch?feature=player_embedded&v=NvjioW0bI1s

    ;)

  32. Cyberspy
    Facepalm

    Why the US spellings?

    Seems:

    pedo, pedofilia & pedophile

    aren't allowed, but

    paedo, paedophilia and paedophile are all OK!

  33. adminspotting

    El Reg reports you can't have any of those naughty words as any part of a password, so "canal" is right out?

    This reminds me of twitter's stupid rules on usernames, which would ban you from having the twitter handle "leadminer".

  34. Richard Parkin

    My own first name is on the banned list. Do I have case for surfing Virginmedia inder Human Rights Act?

  35. Feival
    Facepalm

    Rogers!

    I used to work in one of the mobile operators and had cause to exchange correspondence with Rogers Wireless in Canada. For some reason the emails didn't arrive but they did when sent from our personal accounts. Eventually the penny dropped...

    1. adminspotting

      Re: Rogers!

      I sent someone a message on an American website, and had to then explain that by ****ens, I meant the author of Oliver Twist.

      1. John Brown (no body) Silver badge

        Re: Rogers!

        "I sent someone a message on an American website, and had to then explain that by ****ens, I meant the author of Oliver Twist."

        So now some poor yank is still trying to figure who Disneyens is or if you just have a funny accent?

  36. Squeezer

    Last time I saw "The Dambusters" the name of Guy Gibson's dog had indeed been overdubbed -- can't remember what to, but it certainly wasn't his real life name...

  37. adminspotting

    We have always been at war with Eastasia

    Virgin have now gone all 1984:

    > var badPassArray = [

    > "abc123",

    > "password",

    > "virgin",

    > "welcome",

    > ];

    1. Martin-73 Silver badge

      Re: We have always been at war with Eastasia

      So I take it this means they deleted stuff... ? (not a coder, just couldn't find anything but those 4 either)

      1. adminspotting

        Re: We have always been at war with Eastasia

        No, Citizen, they did not delete anything.

        Nothing but those 4 ever existed.

        Any belief otherwise is an erroneous thought.

  38. Truth4u

    So to stop you using naughty words

    They'll actually send you a list of naughty words in a Javascript file. Sweet.

    But they took it out before I got to see it. That would have been sweet sweet sweet cos I dont pay Virgin NOTHING.

  39. RamblingRant

    Virgin Media have subsequently removed the list of "unacceptable" words from the javascript file.

    They are still enforced by the server however. As I mentioned yesterday, password security almost pales into insignificance compared to this...

    http://ramblingrant.co.uk/virgin-media-youre-only-as-secure-as-your-weakest-link

    Only official response (so far) has been "we're not willing to discuss our encryption"

    1. Erix
      FAIL

      Fear not - thanks to the Internet archive this jewel has been stored for future generations to admire! (or at least until VM uploads a robots.txt file)

      http://web.archive.org/web/20140812173352/https://my.virginmedia.com/assets/legacy/js/password_strength_plugin.min.js

  40. awood-something_or_another

    Client-Side Enforcement?

    Really?

  41. Andy Taylor
    Facepalm

    Worst experience of overzealous IT?

    That's easy. I was sending instructions on how to install some software to a customer whose email service blocked SETUP.EXE. Not an attachment called SETUP.EXE, the text SETUP.EXE.

  42. Wzrd1

    Erm...

    Apparently, our intrepid author failed to recognize *dictionary attacks*.

    Hence, the dictionary of refute.

    My personal one is far more extensive, but profanity is quite common.

  43. amanfromearth

    And ebay too

    The tat-vendor wouldn't allow me to create an account called "pussycat"

    Stupid, stupid.

  44. Jamie Kitson

    Updated, but

    They've updated the original to remove most of the words, but the archive.org still has the original:

    https://web.archive.org/web/20140812173352/https://my.virginmedia.com/assets/legacy/js/password_strength_plugin.min.js

    btw I think the author is wrong in saying that passwords containing bollocks will be disallowed, he's looking at the line above, the line below says "pwd.match(re)".

    1. RamblingRant

      Re: Updated, but

      I'm looking at the right line ;)

      http://www.w3schools.com/jsref/jsref_match.asp

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019