Is It Safe?
Thursday 3rd December, 2015 12:01 Comments: 0
I was pointed in the direction of an audit of major UK ISPs. It's not particularly scientific, it presents a load of facts with colours followed by summaries of the companies.
My initial questions are around things like what exactly does StartTLS mean? They've broken down SSL/TLS for each service, such as POP3, IMAP, SMTP, but then followed that with a rather generic single line of StartTLS, which could be implemented for all of the above mail services. Why not split them into separate lines? Are we making PlusNet, for example, look bad because they don't support SSL/TLS with their mail services, but perhaps they support the StartTLS extension for all 3? Without the breakdown, does "Yes" mean they support it for all email services or "at least one"?
In terms of passwords, Virgin are made to look particularly bad because they don't allow special characters, but really people should care about length more than complexity (P@55w0rd can be cracked in about 1/1000th of the time it takes to crack longeralphapassword, and I know which one will be easier to remember). There should be a much greater emphasis on the minimum (and maximum) password length, or ideally the amount of entropy, or number of attempts to correctly crack the password. Virgin could have gotten away with restricting the password complexity if they allowed really long passwords. Sadly they don't.
EE has a ridiculously low 6 character minimum, and doesn't support many characters (a-z, A-Z, 0-9 and an underscore), but at least allows up to 16 characters, which saves them slightly (about a hundred billion centuries to crack strong passwords offline, and much slower for an online attack); Virgin has a similarly restrictive set and a pretty rubbish maximum length of 10 characters, which is terrible. With Virgin's more restrictive policy, you're looking at around 3 hundred thousand centuries to crack it online (assuming they don't spot the repeated attempts over the centuries), which sounds reasonable, but an offline crack might only take someone around 3 months. Oh dear.
The strongest password you can set is with BT, which would apparently take so long to crack online that you start with the phrase "hundred trillion", add the word "trillion" several times, then finish with the word "centuries". Even if an offline attack occurs, because someone managed to get the hashes, you're still talking trillions and trillions of centuries. You'll be long dead by then. Probably.
Unfortunately, most people won't go with a 50 character password using the full password complexity. I imagine Autumn2015 or Winter2015 would be pretty decent guesses right now for a significant percentage of customers for all of the ISPs listed.
My initial questions are around things like what exactly does StartTLS mean? They've broken down SSL/TLS for each service, such as POP3, IMAP, SMTP, but then followed that with a rather generic single line of StartTLS, which could be implemented for all of the above mail services. Why not split them into separate lines? Are we making PlusNet, for example, look bad because they don't support SSL/TLS with their mail services, but perhaps they support the StartTLS extension for all 3? Without the breakdown, does "Yes" mean they support it for all email services or "at least one"?
In terms of passwords, Virgin are made to look particularly bad because they don't allow special characters, but really people should care about length more than complexity (P@55w0rd can be cracked in about 1/1000th of the time it takes to crack longeralphapassword, and I know which one will be easier to remember). There should be a much greater emphasis on the minimum (and maximum) password length, or ideally the amount of entropy, or number of attempts to correctly crack the password. Virgin could have gotten away with restricting the password complexity if they allowed really long passwords. Sadly they don't.
EE has a ridiculously low 6 character minimum, and doesn't support many characters (a-z, A-Z, 0-9 and an underscore), but at least allows up to 16 characters, which saves them slightly (about a hundred billion centuries to crack strong passwords offline, and much slower for an online attack); Virgin has a similarly restrictive set and a pretty rubbish maximum length of 10 characters, which is terrible. With Virgin's more restrictive policy, you're looking at around 3 hundred thousand centuries to crack it online (assuming they don't spot the repeated attempts over the centuries), which sounds reasonable, but an offline crack might only take someone around 3 months. Oh dear.
The strongest password you can set is with BT, which would apparently take so long to crack online that you start with the phrase "hundred trillion", add the word "trillion" several times, then finish with the word "centuries". Even if an offline attack occurs, because someone managed to get the hashes, you're still talking trillions and trillions of centuries. You'll be long dead by then. Probably.
Unfortunately, most people won't go with a 50 character password using the full password complexity. I imagine Autumn2015 or Winter2015 would be pretty decent guesses right now for a significant percentage of customers for all of the ISPs listed.