British Telecom Cellnet Web site offers poor password advice to customers

Incident Date: September 2001
Incident Location: United Kingdom

British Telecom Cellnet allows customers to view their mobile phone bill via their Web site. When registering for access, customers are provided with the following advice:

"Your Username and Password must be unique to yourself. Try to use something memorable -- you will need to use these every time you logon."

"Your Password will expire every 90 days and you will be required to choose a new one. You will be automatically prompted to change your password whenever you logon after the 90 day period has expired. To make your password easier to remember you can use the same password but add a different number each time a change is needed. For example, password1, password2, password3 and so on."

The practice suggested here is discouraged by many security professionals because it provides attackers with a known password format. Having a known format greatly reduces the number of necessary guesses before a password is discovered. In addition, this practice practically negates the benefits of requiring regular password changes.

The policy continues with this guidance:

"The Password Hint is a word or phrase that you can choose to remind you of your password should you forget it. For example if your password is your petís name then the password hint could be 'petís name'."

"The Memorable Item is something that you will need to supply whenever you need to see your Password Hint. Again try use something that is linked to, and therefore will remind you of, your password and password hint."

User definable password hints tend to be a bad practice because there are no controls over what the user types as a hint. They can type a hint that is easily guessable (i.e. "First day of the week") or even their password (i.e. "Monday"). The ĎMemorable Itemí is basically just another password that the customer must remember.

Story Sources

Title: Risks and madness on the BT Cellnet site
Author: Mike Perry
Date: 8/24/2001
Publication: RISKS Digest
Volume 21, Issue 64
Publication Location: USA

Do you have additional information to contribute regarding this story? If so, please email with the details and source.

<-- Back to Authentication Story Index

[Home] [About Us] [News] [Research]

Copyright © 2016