Reg reader rages over Virgin Media's email password policy

2022-03-10 10:29

A Register reader has raised concerns over UK ISP Virgin Media's password policies after discovering he couldn't set a password longer than 10 characters or one that includes non-alphanumeric characters.

"I am having a running battle with a hacker who is able to crack a 10-character password used for Virgin or Virginmedia email in less than a day," Nick complained, saying the attacker was setting up auto-forward rules to divert his emails as well as being able to guess newly reset passwords within a day.

He added that Virgin's password policy enforced weak-by-design choices on him which made his apparent attacker's efforts easier: the ISP's email account policy wouldn't allow him to set a password longer than 10 characters; nor would it allow him to add two-factor authentication; the first character had to be a letter; and non-alphanumeric characters weren't allowed.

Last year someone posted on their customer support forum asking for help setting a password that would pass Virgin's systems, to be told: "We do advise to use a password between 6-10 characters long, including at least 1 number, 1 capital letter, 1 lower case letter and ensuring that it isn't your surname or first name."

A Redditor posted a thread titled "It's 2021 and VirginMedia only allows password 8-10 characters long, letters and numbers only" complete with a screenshot of the password page explaining the requirements.

Machine-generated passwords in this day and age all come with options to set non-alphanumeric characters and in lengths of greater than 10 characters - none of which, it appears, would pass Virgin Media's requirements.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/10/virgin_media_email_password_security/

#email #policy