Virgin Media blocks 'wankers' from permissible passwords Virgin Media likes its fun-and-slightly-naughty image, but not, it seems, in its passwords. El Reg hadn't noticed until someone brought it to our attention, but the JavaScript plug-in the company uses for assessing password strength also censors passwords on the way in. Virgin's version of the plug-in is a 2009 update to the …
If you use it once, will it break?
My favourite password story comes from the very first network install I was involved with, about 25 years ago. Netware v2, and so wonderfully secure that when the admin changed the supervisor password to "fuckme", it did: it accepted the password change, then wouldn't let him log in again. He ended up nuking the install and starting again from scratch.
I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped.
As for blocking any passwords that contain those strings? I can only imagine the confusion caused by some of the shorter ones on that list. I can't use Gr33nigl00 for example.
Block lists aren't exactly a new thing, the more heinous crime is that Virgin constrain the password length to 8-10 characters.
"I've searched the deepest, darkest parts of the internet, and I still can't fathom why "finian" is blocked. Could be a misspelling of the Irish insult "fenian", but the original spelling isn't on the list, so I'm stumped."
Whoever added that to the list is probably confusing it with fenian.
I say "confusing it with" because fenian is not itself on the list, so not only are they applying censorship to something nobody other than the person using the password should ever see anyway, but in this case they are censoring the wrong word. (For that matter, is Finian not a perfectly valid name? I'm sure I knew someone called that when I was kid - if not that, it was very close!)
simply because the have a rule that blocks the 'll' in this word. Two consequitive character identical is a big no-no in many an AD setup.
Rather silly really because the hackers would have a better chance of getting a password hit because of this rule.
Anyone with even an elementary understanding of Cryptography would know this.
**
One of the flaws with the German Enigma machine was that no letter/number could be encrypted as itself. Not allowing 'll' is a mistake of the same order IMHO.
Really the Welsh should be in there complaining about discrimination, because ll is an actual letter in Welsh.
You are right about the cryptographic flaw in the Enigma; the second biggest flaw in the system was that the German high command put too much trust in their machines so, faced with an apparent leak of information, they went hunting for spies rather than looking to see if the machine could be hacked,
Sloppy javascript at it's finest.
If the list includes the word "bollock" and the regex match excludes all words containing the term, there is no need to include the word "bollocks", since it is excluded by default. Same for all variations of "f*ck", and "clit".
The list also appears to taken from an American script, because of the spelling of words such as "pedo".
Come on Virgin, get yourself some proper developers! - or, pass this on to your webdev agency.
> The list also appears to taken from an American script
As is usually the case with lists of "popular" passwords.
ISTM the simplest way to obtain an uncrackable password is just to use a non-english (or non-american) word. And if you can get some non-ASCII into it, you're gÖlden.
I'm pretty sure the same applies to "bad word" filters, too.
Its not just swear words, at a company i used to work at... (think it arm of company that does disability tests) they suddenly added permanent filters to all corporate laptops, which a lot of us used in the evenings when in our hotels to watch youtube and check email on gmail etc.
The following sites were blocked
Youtube
Linked In
Gmail
AOL
Yahoo
And the interesting thing is that even when not on the VPN they were blocked with the message
Access Denied - Access only for Top Management.
Clearly a company that thought, and with good reason, that it might have less than happy employees, and was trying to prevent them from using anything that might help them get another job.
... or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder.
A company is not always evil because it stops you from doing something stupid that could cost you your job. The really clever ones have internal Internet cafes on systems which are isolated from the main network, that way people can still get their fix without linking to the trust environment. I know one setup that even locks personal mobiles away, but they do handle rather sensitive information.
"or maybe a company that has an obligation to keep information confidential, and thus limits access on work systems to resources that help rather than hinder"
So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?
So allowing senior management, who are likely to have more sensitive information and be at great risk of a targeted attack (and, the cynic in me says, more likely to fall for phishing) to access these resources is a good idea?
Maybe I'm fortunate, but in the places I have worked it usually was a policy *instigated* by senior management (usually after the corporate lawyers explained the consequences of not doing it).
I agree that this is not exactly common practice, though :(
I believe its entirely possible that I've not long finished working for that company, and yes, they did encrypt everything. I don't recall a message about "top management" however, but they were certainly big enough tossers to do something like that.
It was clear, each and every day, that they trusted management, demanded results without resources and wanted to reduce technical headcount constantly.
A**s....sorry, *they* were deeply stupid as a company and that probably explains why they've been losing contracts hand over fist of late and are not long for the UK market.
There are many corporate proxies/firewalls out there that will simply give empty responses for URIs with what they consider unacceptable words in them.
One system I worked on generated SAML SSO messages, which have base64 encoded encrypted XML in the URI (SAML is fun like that), and some clients inconsistently would tell us that the site was broken or they had to log in twice, things like that. We eventually tracked down that the failing URIs worked correctly on our side, and noticed that the URLs had things like "c0ck" in them..
One fun afternoon later we had derived a list of the most common swearwords, and now the URIs are generated in a loop until we get a URI without an unintended swear word - its the same XML message each time through the loop, but with a new session encryption key, so the URI changes.
We have clients globally, it seemed only US orgs go for this level of nannying.
Not even seen by the creator, I think? They're always entered into a password box and asterisked out, no? The only person who would see this list is the person who wrote it, and anyone ferreting around in the script code...
And if they're blocking them as partial words (I haven't checked the code) then that's everything from 'niggardly' to 'extravagant' banned, then.
> Passwords should only be seen by the person who created them
Maybe if the requirement was reversed: so that only phrases that were deeply personally derogatory were allowed: e.g. "I'm a pheasant plucker" (or words to that effect), then at least it would stop individuals freely handing out their passwords to all and sundry.
"The password, as far as I can see, is filtered by this javascript on the user's local machine, prior to being hashed and sent to Virgin."
What? Are you saying VM are installing software full of abusive terms on customers PCs in the clear?
So any VM customer who has their computer "examined" by the police "on suspicion of xxx" will always get charged with something, eg hate speech
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
