Comment by Angostura
10 years ago
VirginMedia (large ISP in the UK) won't accept passwords longer than 10 characters. No spaces or special characters allowed, must contain a number, must start with a letter etc.
10 years ago
VirginMedia (large ISP in the UK) won't accept passwords longer than 10 characters. No spaces or special characters allowed, must contain a number, must start with a letter etc.
What is really frustrating about this is when I asked them why they reply "we've chosen these limits to make sure your online password is secure"
I can imagine your facepalm.. Wondering how many of these "up to N characters" rules are actually there because there is a `password CHAR(N)` DDL declaration for storing plaintext passwords...
I tend to set password fields to varchar(400), though it's encoding info and base64 hashes.
I keep the encoding/options so it can be backwards compatible on change... when an encoding/options isn't the current when the user logs in, it will be re-encoded/saved in the current... this is so that security can be upgraded over time.
Run normalization on composite unicode characters & look-a-likes before encoding.
I do one thing some consider bad, which is strip leading/trailing whitespace which is more often a copy-paste error, not actual password entry.
Additionally, if you contact their customer support via the form they used to provide they ask for your password, which is them presented back to you in plain text when they reply.
Quoting from a reply I had: "As there's no account password quoted on the form you’ve filled in I'm unable to go in to any account specifics."
"accountPassword: I'm not giving you my password"
Same with the Virgin Atlantic Flying Points site (usernames and passwords). Infuriating thing is the points are worth real money and can be transferred to other users so there is a real incentive to break in.
I guess it's a problem across the entire Virgin group of companies?