cancel
Showing results for 
Search instead for 
Did you mean: 
r1sh12
Expert
604 Views
Message 1 of 9

BT Security is beyong woeful

Hello all,


Ive been with BT broadband for the best part of at least 10 years now.

Recently quite often Ive had to reset my fathers email address password, for the life of my I could not figure out what was going on.

The password we had used for a bit too long (I admit that) was very secure.

But a recent revelation has just left me utterly speechless!

 

On the first attempt of attempting to reset the password, the silly reset page does not allow symbols!!!

Which in turn makes it easier to guess or brute force attack the servers to dump passwords out.

 

My fathers email is accessed from 2 PCs in the home, one of which I use regularly and am fully aware of all the risks out there, the other is a laptop, again I always ensure my security is high across all devices.

 

Can someone at BT explain why they have chose to omit symbols for use in passwords?

Either that or the reset page does not allow them, which is it?

 

thanks

 

0 Ratings
Reply
8 REPLIES 8
Distinguished Sage
Distinguished Sage
595 Views
Message 2 of 9

Re: BT Security is beyong woeful

See this link about BT passwords and in particular this part.

 

BT ID password has to be at least eight characters long, and must contain at least one number or special character (such as an exclamation mark, colon or question mark)

 

http://bt.custhelp.com/app/answers/detail/a_id/9193/~/how-can-i-keep-my-passwords-secure%3F

 

As your BTID password can be the same as your BTMail password I assume it applies to BTMail as well as BTID.

 

I don't know if it apples to BTYahoo email passwords.

0 Ratings
Reply
Distinguished Sage
Distinguished Sage
594 Views
Message 3 of 9

Re: BT Security is beyong woeful

I hardly think that the lack of symbols is a huge security risk. What is the difference between a long password consisting of a random selection from 62 characters or one consisting of a random selection from a few more characters, miniscule.

Distinguished Guru
581 Views
Message 4 of 9

Re: BT Security is beyong woeful


@gg30340 wrote:

I don't know if it apples to BTYahoo email passwords.


No, it doesn't.  Yahoo passwords do not allow anything other than letters and numbers.  You can mix uppercase and lowercase letters.

 

In my case, my password is 14 characters long, so I don't think anyone is going to be guessing it any time soon.

0 Ratings
Reply
Distinguished Sage
Distinguished Sage
577 Views
Message 5 of 9

Re: BT Security is beyong woeful


@Ectophile wrote:

No, it doesn't.  Yahoo passwords do not allow anything other than letters and numbers.  You can mix uppercase and lowercase letters.


So if it is a problem it would appear to be a Yahoo failing not a BT one.
0 Ratings
Reply
Highlighted
r1sh12
Expert
552 Views
Message 6 of 9

Re: BT Security is beyong woeful

@licquorice 

 

Its a massive difference!

Increase the length of a password just increases the number of possible cominations - upper or lower case or mixed.

A 96 character password can be cracked in under 6 hours using brute force on a graphics card.

Adding symbols significnatly increases the time, albeit it will get broken its a lot harder for the brute force to get them.

 

I work in enterprise security and test against such things for many large organisations etc...

0 Ratings
Reply
Distinguished Sage
Distinguished Sage
536 Views
Message 7 of 9

Re: BT Security is beyong woeful


@r1sh12 wrote:

@licquorice 

 


I work in enterprise security and test against such things for many large organisations etc...


Ah, that would explain it. All the pen testers and security people I have known were only happy if a device was switched off in a sealed room with no connections!! Smiley HappySmiley Happy

Distinguished Guru
508 Views
Message 8 of 9

Re: BT Security is beyong woeful


@r1sh12 wrote:

@licquorice 

 

Its a massive difference!

Increase the length of a password just increases the number of possible cominations - upper or lower case or mixed.

A 96 character password can be cracked in under 6 hours using brute force on a graphics card.

Adding symbols significnatly increases the time, albeit it will get broken its a lot harder for the brute force to get them.

 

I work in enterprise security and test against such things for many large organisations etc...


I don't believe that for a moment.

 

A password of mixed uppercase and lowercase letters and digits has 62 possible characters.  There are 62 to the power 96 possible 96-character passwords. According to the windows calculator, that's about 1.17e+172 passwords.  To crack that in 6 hours would require testing about 5e+167 passwords per second.  That's fifty thousand billion billion billion billion billion billion billion billion billion billion billion billion billion billion billion billion billion billion passwords per second.

 

If you can find a graphics card that can do that, then I want one!

0 Ratings
Reply
COMPANY-PENSIONER
Aspiring Expert
468 Views
Message 9 of 9

Re: BT Security is beyong woeful

Hi there.

 

When there are CASH COMPETITIONS to hack operating systems, add-ons, etc. Finding someone with a mind to get in to your email, probably isn't too difficult.

http://www.pcworld.com/article/2899952/all-major-browsers-hacked-at-pwn2own-contest.html

Best regards. COMPANY-PENSIONER [ CC1960. Concordia Res Parvae Crescunt ]Smiley Mad

0 Ratings
Reply