Passwords, passwords everywhere
If you're reading this, chances are that you have to use and manage a lot of passwords and you know that using passwords securely can be a challenge.
Many online services require users to conform to complex password requirements involving lower and upper case alphanumeric characters, special symbols and restrictions on consecutive characters as well as minimum and maximum password ages. This approach is outdated and really only gives an illusion of security; the idea that if a password is more complex then it must be more secure.
How are passwords disclosed?
In reality, most password attacks are not based on a hacker guessing a user's password by trying every possible combination of characters (known as a brute force attack) but by one of several technical or social techniques including but not limited to:
- social engineering, or simply tricking someone into revealing their password;
- phishing emails;
- intercepting a hashed (or even plaintext) password as it is transmitted over a network;
- compromising or stealing a password hash file and using it to recover the passwords; or
- using credentials (often username and password combinations) leaked from data breaches affecting other systems and services (sometimes known as credential stuffing).
This last point is why you should never share passwords across sites and services, especially for more sensitive accounts. Password sharing means you have to think about the security of all the services where you use the same password: a breach at one could lead to compromise of your account on an otherwise unrelated service.
How do attackers target passwords?
Attackers often use lists of known and commonly used passwords to try and gain access to online accounts and services. They can either try these lists directly or use them to try and recover hashed passwords that have been disclosed in an earlier data breach. These kind of techniques are collectively referred to as 'dictionary attacks' but they don't just involve simple dictionary words. Often, the 'dictionaries' being referred to are in fact pre-complied lists of commonly used passwords. Using these passwords puts your accounts at risk and we have taken steps to prevent our users doing this inadvertently.
How does Virgin Media provide secure options for passwords?
We know that using weak or common passwords can put our customers at risk. We also know, however, that nobody likes those outdated password policies that require arbitrary combinations of letters, numbers and special characters. That's why we've decided to enforce a simple and straightforward approach to password requirements. Your password must:
- be at least 10 characters in length;
- not contain your name or email address; and
- not appear on a blacklist of common or previously exposed passwords.
And that's it. So long as your password meets the above requirements, it doesn't have to contain any particular set of characters or symbols and there are no other exclusions: you can choose something meaningful and memorable.
We will also never ask you to change your password just because a set period of time has passed. Your password will stay the same unless you decide to change it or we have believe that there is a good security reason for changing it.
How is my password checked against the blacklist?
We check your password against a database of passwords that have been compromised in data breaches. We do this whenever you create a new password for your account, for example during registration, password change or if you've forgotten your password and need to choose a new one. You can read more about how this works and the service we use here.
To be clear, we never send your actual password in unprotected form. A hash (one-way mathematical representation) of your password is created and compared with the hashes of passwords on the blacklist. If a match is found, you'll be asked to choose a different password. If no match is found then you're good to go and nobody but you will know your new password.