A Register reader has raised concerns over UK ISP Virgin Media’s password policies after discovering he couldn’t set a password longer than 10 characters or one that includes non-alphanumeric characters.
Our reader Nick told us he was facing repeated attempts to take control of an @virgin.net email account he owns – adding that the company’s password policy left him vulnerable to what he described as a sustained brute-forcing attack.
“I am having a running battle with a hacker who is able to crack a 10-character password used for Virgin or Virginmedia email in less than a day,” Nick complained, saying the attacker was setting up auto-forward rules to divert his emails as well as being able to guess newly reset passwords within a day.
He added that Virgin’s password policy enforced weak-by-design choices on him which made his apparent attacker’s efforts easier: the ISP’s email account policy wouldn’t allow him to set a password longer than 10 characters; nor would it allow him to add two-factor authentication (2FA); the first character had to be a letter; and non-alphanumeric characters weren’t allowed.
A spokesperson for the Liberty Global-owned telco told The Register: “Ensuring customer data is secure is of utmost importance to us and we continually invest in our security systems to keep our customers safe online. Our login process requires customers to use unique passwords using a variety of up to 10 characters, enhanced by additional technical controls and anti-fraud measures which defend against unauthorised login attempts. Our engineers regularly update our systems to improve security, with further improvements due to be implemented in the near future.”
However, on its website we note that the company says users should “aim for 8 to 12 characters” and use “symbols… or special characters.”
Nick is not alone in wondering what Virgin’s up to with email account passwords. Last year someone posted on their customer support forum asking for help setting a password that would pass Virgin’s systems, to be told: “We do advise to use a password between 6-10 characters long, including at least 1 number, 1 capital letter, 1 lower case letter and ensuring that it isn’t your surname or first name.”
Another customer wondered why he was restricted to “maximum of 10 alpha numeric characters lower or upper case”, adding: “Why are no special characters and longer than 10 alpha numeric passqwords allowed?” [sic]
Similarly, a Redditor posted a thread titled “It’s 2021 and VirginMedia only allows password 8-10 characters long, letters and numbers only” complete with a screenshot of the password page explaining the requirements.
Meanwhile, in 2019, the company’s social media operatives were confident enough to say this about their password policy:
10 characters is ample enough to keep the password secure. ^GT
— Virgin Media (@virginmedia) March 11, 2019
Britain’s National Cyber Security Centre, an offshoot of GCHQ, has this advice about email account passwords:
Machine-generated passwords in this day and age all come with options to set non-alphanumeric characters and in lengths of greater than 10 characters – none of which, it appears, would pass Virgin Media’s requirements.
Back in 2015, Virgin had to shift itself off Gmail for consumer email accounts after the adtech monolith dropped support for ISP accounts. It’s had problems in the past with security as well; in 2020, 900,000 customers’ records were dumped online thanks to a poorly secured database. ®