I learned a long time ago that the default assumption for non-tech-first companies should be deep, deep incompetence, below the level of an undergrad with a decent CS degree, when it comes to basic security practice. Even having your system be Incredibly Important isn't enough to force basic competence: there were plenty of government and bank systems through the 2000s that were apparently designed and maintained by high school kids (looking at you Citibank).<p>By 2019, a lot of the industries running more critical systems like finance have figured out that you should take your tech seriously (and it only took them twenty years to figure it out...) ,but it's still a pretty good baseline assumption.
Virgin Media is an ISP, for those who don't know.<p>Perhaps more shockingly, they have a <i>maximum</i> password length of 10 characters, and the first character must be a letter.<p><a href="https://twitter.com/Joshwright10/status/1162811048359014400" rel="nofollow">https://twitter.com/Joshwright10/status/1162811048359014400</a>
I get everyone replying to virgins Twitter account in disgust, but let’s be honest, the person on the other end of that most likely won’t be technical, nor will there be much chance of them relaying it on. They will reply then go home for the day.<p>This is where things like <a href="https://securitytxt.org/" rel="nofollow">https://securitytxt.org/</a> are important. Being able to go through to the team or person who knows what’s going on. But then again, if a company stores plain text passwords they most likely won’t have security.txt
> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS (@virginmedia)<p>> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]<p>Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.<p>They really haven't met even the spirit of:<p>> Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.<p>[0] <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/" rel="nofollow">https://ico.org.uk/for-organisations/guide-to-data-protectio...</a>
From 2015: "Virgin Media stores user passwords in plaintext?" <a href="https://news.ycombinator.com/item?id=9492006" rel="nofollow">https://news.ycombinator.com/item?id=9492006</a>
Right now in 2019, companies in the UK who somehow now think that they are 'tech companies' have this attitude when it comes to security. I met one company that recently got funding in the UK that deals with personal insurance and asked them if they write tests and they responded that they don't have tests, because they have no time to write any. In this case, that is like not having a security audit because we don't want anyone knowing the secret sauce.<p>Unfortunately, The motto here is that 'If it ain't broke, don't fix it.' and these systems don't get updated in a while until it is too late.<p>> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS<p>I can't trust Virgin to mail me anything sensitive then as the person who sent these details could have just seen it and wrote it down beforehand. That is too much of a risk to trust anyone and call that secure, even if it is illegal to open someone else's mail.<p>Well I'll be expecting the GDPR officers to mail you clowns a huge fine then.
How is it that ISPs are always such awful organisations? I understand that their user base isn’t particularly technical, but there’s no excuse for this sort of public stupidity.
When you have a problem and call support, they do the "please enter the 4th digit of your account password" thing to verify you (further evidence that they store it in plaintext). This is particularly fun since my password is only in a password manager, which, if my service is offline, I can't access. So whenever my internet goes out, calling VM support to get them to fix it involves an extra 15 minutes of me arguing with them.
I’m a bit rusty and could be wrong but doesn’t MSCHAPv2/CHAP require knowledge of the plaintext password on the server side? I think that makes it required to be stored plaintext for any PPP connection and thus most if not all ISPs would be storing plaintext passwords
UCAS used to do a similar thing. I really hope they have fixed this since. <a href="https://i.imgur.com/H2gADSX.png" rel="nofollow">https://i.imgur.com/H2gADSX.png</a>
Virgin media have a 'memorable word' that you quote to the phone agents as a proof that it's you talking to them. It's not the password to the online account and it's only one of a few bits of info you get asked to prove you are the account holder.<p>I think this is what is being talked about. Not the actual account 'password'.
Don't think this was posted yet, they doubled down on this:<p><a href="https://mobile.twitter.com/VirginMediaIE/status/1163441193541414912" rel="nofollow">https://mobile.twitter.com/VirginMediaIE/status/116344119354...</a>
Does anyone else think the Virgin group companies are really bad and are simply baded on good marketing ? My read on Branson himself is that he's DT with actual billions.