Strong Passwords!

Hi all,

Quick heads up that on Wednesday we will be rolling out changes to the platform that will allow customers the ability to choose much more secure passwords.

For those that don't know, customers are currently restricted to using a 5-8 character password containing numbers and lowercase letters that must start with a letter! The option to allow stronger passwords has been the most voted for suggestion on the Usergroup Issue Tracker for a while now and we recognise that it's something a lot of you have been asking for:
http://usergroup.plus.net/pugit/view.php?id=29

As of Wednesday customers will be forced into choosing a password that's between 8 and 16 characters when they signup. This password can also contain any of the following characters:

!#$%&()*+,-./:;<=>?@[]^{|}~

0123456789

ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

You will not be forced into changing your existing details so anyone with a password not meeting this criteria can continue using their current credentials.

Password changes on the portal will propagate around all the systems (FTP, Mail, Portal access etc.). The only system that will not support the new password format will be FrontPage. FrontPage will only take into account the first 8 characters.

If anyone has any questions or feedback then please feel free to contribute to this thread and I'll do my best to provide answers.

Kind Rgds,

Edited by deleted (Mon 21-May-07 18:53:19)

I thought Dave T or someone similar said the change was a massive thing (hence why it hadn't been done before) and would take ages?

How come it's taken a security breach before anyone took security and so on sufficiently seriously?!?

We have always taken security seriously. The strong password rollout is not a small matter and is still requiring a huge effort to roll this in such a short time.

Funny how all these things that have been asked for for ages are now being looked at and done though isn't it

But... Great news! Finally I can change my password without having to make it worse than it already is!

>We have always taken security seriously. The strong password rollout is not a small matter and is still requiring a huge effort to roll this in such a short time.

How I read therioman, with your reply, if it required a huge effort is such a short time, why hadn't it been done over a longer time, without the need for so much effort in the past?

In reply to:

---

We have always taken security seriously.

---

Adopts the pantomime response, "Oh no you haven't"

If something that takes a huge effort can be done in a short time, if longer is taken it can normally be done with more thought and preparation and less chance of mistakes. It's a shame that we have to bring up the negatives to these positive moves, but PlusNet have brought it upon themselves.

But yes!!!! At last!

I'm still interested as to why the frontend systems had certain restrictions, while every other system clearly doesn't. But it's proved difficult to get a straight answer. I know of plenty of people who used passwords across dialup, DSL, webmail and portal all of which do not conform to the old and odd requirements.

Personally I think this move will enhance security for your customers but I don't like the answer you have given.

Back in Feb you were asked to work on the password issue and it is only now that you have got round to it and after a serious security breach (which might or might not be releated to a password issue) . Before Feb you were asked by a number of people (including those in PUG) to improve password security and that too fell on deaf ears. This is the Feb story, remember?
http://www.theregister.co.uk/2007/02/07/plusnet_passwords/

Two more: Link 1 & Link 2.

Edited by rsharma (Mon 21-May-07 19:45:24)

Remember that we have pretty much stopped all of our other development work to focus solely on these projects, and yes, that is a direct result of us being caught out in the way we were. While we were very aware of a number of issues where we were weaker than we should have been (And webmail was one), we had never found the onus to properly prioritise the development work above other things.

There is no argument that recent events have changed that and much of our next three months will be focussed solely on projects that relate to both email and platform security / stability (although I imagine a fair bit of that won't be visible to customers (Fixing potential problems that don't yet exist is never very exciting to watch).

We've always had to make difficult decisions about priorities and this is no exception - Things we were working on as part of our plans for 2007 will certainly slip as a result of this. Yes, we could and should have done all this stuff sooner, but it would have been at the expense of different work. That said, the speed we deployed a whole new webmail platform was stunning imo, and while we worked through the weekend and overnight to design, build and deliver that I reckon there are definately some useful things we can learn... A project like that would have been in QA (testing) for 2 weeks previously, and even then probably wouldn't have come out any more bug free than it is now.

Ian

Sadly there are a number of unanswered questions over passwords, but chris is probably just toeing the party line. this approach unfortunately sometimes causes more problems than good, especially on these forums.

Hopefully some will be answered, but in the mean time, at least this feature, requested for a VERY long time has been implemented. It's a shame it's taken such a mess for whatever needed to be changed internally (be it attitude, money, or other resources) to do so, but thank god it has.

Next up...

Proper SSL connections for all mail transactions (POP3, IMAP and SMTP).

Then things may be up to speed with the free e-mail services out there