next »

[kitz]

In view of the recent spam issues there will be a lot of users changing their passwords over the next few days.

Im surprised that the current restrictions are very poor and lacking

Your password must begin with a letter and
contain only lowercase letters and/or numbers.
It must be between 5 and 8 characters in length.

This should be immediately reviewed as there will be customers who have existing passwords that are far more secure, but outside of the range of the existing rules.

Please register your thoughts and comments in this thread and vote in the PUGit here


[post edited]

Didn't realise there was already an existing PUGit item with similar request.
Changed to include different url.

[scarymonkey]

PUGIT Issue 29 Is the PUGIT reference for strong passwords

[wildmind]

Been asking for this for years and always been told that it was too much work and would require too many changes to backend systems.

Why should it be something that is voted for for crying out loud - it should be a P0 ranking above all other issues. Despite all the assurances that our security matters.... it obviously doesn't really.

[jabns]

its just asking for trouble. your passwords should at least have to be alpha-numeric and should be allowed some symbols as well for added security it would take 2mins to Brute Force my login. Just tried with a old version of lophtcrack network security suite and i limited the bandwith available to that of a 5mb con and it took just 00:01:56. Half the passwords would probably fall under a standard dictionary check. Do you even have a portal lokout policy in affect?

[kitz]

What is puzzling me is when did they actually bring in these rules and make them so lax compared to what we could use before?

I have passwords on my account/mailboxes that dont fit in the current criteria, and its bugging me that to change my passy I'd have to go by the new rules.

Maybe Im being thick but there must surely be several thousand passwords in use everyday by customers that they'd created previously which dont follow those rules, yet we can still login.  Therefore I cant see why I cant create a new passy in a similar style I used before?

[bud]

This rule was in force during 2002 when I moved my main connectivity back to plusnet, but when I had a surftime connection there was no restrictions at all.

I do recall disccusions on usenet that plusnet were looking to remove the 8 character limit but that was a long time ago.

[dhookham]

This rule was in force during 2002

Not to belittle the current issue, but it's interesting that so many people are getting excited about heightened password security yet presumably haven't changed their password in 5 years.

[wildmind]

Just wondering if there's any news from PN on this one?

[neilarmstrong]

We are going to enable stronger passwords as soon as we can - can't give you a date yet but we're working on it.

[JSchlackman]

This seems to be a sign of a worrying trend - since the mailbox enhancements last month we've had a needless restriction to lowercase-only passwords, which thankfully Bob Pullen has already said is under review. Who on earth thinks these things up in this day and age?

[bpullen]

Hi all,

Quick heads up that on Wednesday we will be rolling out changes to the platform that will allow customers the ability to choose much more secure passwords.

For those that don't know, customers are currently restricted to using a 5-8 character password containing numbers and lowercase letters that must start with a letter! The option to allow stronger passwords as we know has been the most voted for suggestion on the Usergroup Issue Tracker for a while now and we recognise that it's something a lot of you have been asking for.

As of Wednesday customers will be forced into choosing a password that's between 8 and 16 characters when they signup. This password can also contain any of the folowing characters:

Code:

!#$%&()*+,-./:;<=>?@[]^{|}~
0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

You will not be forced into changing your existing details so anyone with a password not meeting this criteria can continue using their current credentials.

Password changes on the portal will propagate around all the systems (FTP, Mail, Portal access etc.). The only system that will not support the new password format will be FrontPage. FrontPage will only take into account the first 8 characters.

If anyone has any questions or feedback then please feel free to contribute to this thread and I'll do my best to provide answers.

Kind Rgds,

[JSchlackman]

Excellent news!

[northbritish]

The only system that will not support the new password format will be FrontPage. FrontPage will only take into account the first 8 characters.

Will FrontPage work ok if the first 8 characters contain any of the additional characters now permitted?

I.e. 12345678#A would I assume work OK for FrontPage, but would #A12345678 work?