Slighty concerned!

enor

Hi,

My father uses BT as his ISP and has been having some problems with his e-mail. He called BT's customer services and they sorted it out for him.

The thing is, part of what they did was give him a new password to access his account. He is quite security concious and always uses passwords that are a random combination of letters and numbers. He doesn't use the same password twice and has a good memory so he never records them anywhere. What worried him was the password the man at BT gave him matched, exactly, one that he had used previously, only not with BT but with an investment firm that he has an account with. Baring in mind he hasn't used this account for a few years and the password was four numbers then for letters all random, surely this has to be more than coincidence?

This really bugging us as we can't see a) how they got the password in the first place and b) if they can get the password why they would draw attention to the fact by giving it out?

Hopfully someone can shed some light.

fwor

The probability of them picking an identical password by chance is very small indeed.

However, I know from personal experience that memory can play tricks on you - particularly at matching patterns rather than numbers. It may be that the password had a similar pattern which fooled his brain into thinking it was identical (given that several years have passed since he last used it).

Just because BT provide the access to the internet doesn't mean that they can see everything he is doing - any reputable site will use SSL to encrypt the contents of any page where a user enters login and password details, and your average BT employee doesn't have any practical way to break that encryption and see the passwords that he uses online.

hotpot1000

I had the password changed for b/band with BT operator and once I logged on he insisted that I then change it to a different one without telling him.
So you should change yours once someone else knows it.

enor

Its not his memory I'm afraid. He tried the password out and it still works!

M4RKM

there is a 1 in 2821109907456 chance that the BT computer picked the same password....

freaky really?!

Marty_J

How odd.

It seems unlikely, but then again, seemingly unlikely things happen all the time.

I guess we have two options:

1. it's a coincidence

2. BT know all your father's passwords, having been monitoring his internet traffic for a few years, and are taunting him

tomsolomon

I had this question in some course work I did at college tonight....
Which is the safest password from the list?
There were several answers, these aren't the exact answers but you can get some idea of what a password should be like....

1. 1874623
2. ABH72B4
3. FRED1066
4. P1cCaLi11y

If the letters and numbers your dad chose were "personal" too himself sooner or later they will be duplicated or cracked.
Which of the four password examples above do you think may be the most likely not to be compromised?

You may think your passwords are completely random and foolproof, but how random and foolproof are they to some desperate individual who is hell bent on stealing your information to make a few quid???

fwor

IMO that's actually quite a difficult question. With random (or good pseudo-random) numbers and letters it's easy to calculate the probability of each brute-force attempt succeeding.

But when you add in words, it gets difficult to quantify the amount by which security is reduced, because you can't make accurate assumptions about the type or size of dictionary an attacker might use.

Though slightly-modified common words like p4ssw0rd are very, very poor (I once took over running a large multi-site network where the Admin password on every router was c1sc0), I would guess that 4. is probably the safest, because it's by far the hardest to brute-force - and though the word ~might~ appear in an attacker's dictionary, they aren't likely to check such a large number of variations of i, 1 and l, plus the upper and lower case variations.

Then again, it depends what sort of attack. If someone has it in the form of a hashed or encrypted password file, where they can try many thousands of combinations a second, I'm not sure...

What was the correct answer from your test results?

Marty_J

I would guess the last one would be hardest to crack as it's longer, and it has a combination of numbers and both uppercase and lowercase letters.

It looks like a word to us, but it wouldn't look like one to a computer.

tomsolomon

Four was in fact the correct answer. They recommend minimum 6-8 characters with a combination of upper case, lower case, and numbers. It doesn't have to be one word, you can use a combination of words in this format to create a monster password extremely difficult to crack.
Mind though, there is always a chance of a password being cracked no matter how difficult you make it.....

enor

My fathers password was more like number 3 but the 4 letters were random. This is really frustrating now as I'm sure we can rule out a coincidence.

I was thinking, it might be that he managed to store it in the BT browser somehow. They have had access to his machine before to sort out another issue and may have got it then. This is only a guess but perhaps they could have seen a list of stored passwords in his browser and tried to be helpfull (if slightly dodgy!) and tried to give him is old one back, then used the wrong one. I have no idea if this is even plausable!