Wednesday, September 14, 2016

That time a BT rep. recommended I use "something like Password123"

There are loads and loads of sites out there with ridiculous password rules, but BT gets a special shout-out for their special, multiple, password policies. In case it's not obvious no one has any business capping the length of a password or disallowing certain characters. A hash will always end up the same length and you can hash any character. Besides, once the password is hashed you don't know what characters it's made up of anyway. If nothing else BT is a technology company so really should know better.

We are moving, BT has a sale on, my wallet beat my morals and I decided to go back to BT from Andrews & Arnold.

So I got past the BT ordering page and onto the account setup page. I generated my random 20 character password as usual and pasted it into the password field, but up came a big red banner, saying "Passwords must be 8 characters long, contain only letters & numbers and need to start with a letter." (I've only just noticed that it says "be 8 characters long", at the time I read it as "at least 8 characters long".)



Note how the text is helpfully truncated. I thought this was pretty dumb but changed my password generator to use only letters and numbers, start with a letter and set the length to 40 characters. That password was accepted by the JavaScript on the page, but then I went to paste the password into the confirmation field and nothing happened. Yep, JavaScript was now preventing me from pasting my generated password into the password confirmation field. (I'm not sure if a proper password manager would have managed to do this automatically.) No problem, I fired up the browser dev tools and removed the anti-paste code.



I filled the rest of the form in and clicked "Continue". The same page loaded again, but this time with a big red warning saying "Please ensure all required information is complete."



I wasn't even sure that this was about the password, so I got onto their chat support:

Issy: Good morning Jamie
Issy: How may I assist you with your order today?
Jamie: Hi
Jamie: I am trying to create an account
Issy: I'll be happy to assist you with that
Jamie: but at the "Please complete your set up options." page
Jamie: where I choose a password etc
Jamie: it comes back with
Jamie: "Please ensure all required information is complete."
Jamie: no indication of what is wrong
Jamie: I have filled everything in
Jamie: also
Jamie: there are a number of other issues with the form
Jamie: the password rules are stupid
Jamie: and I can't paste into the password confirmation box
Issy: Please make sure your password isn't too long. Something linke Password123 should work
Jamie: HOLY FUCK
Jamie: are you joking?
Issy: Please don't use that one. It wouldn't be too safe
Jamie: can I download this chat transcript?
Issy: Please select the small envelope at the top of this chat to send a copy to yourself
Issy: You can also copy and paste
Jamie: so is twenty characters too long?
Issy: That's right
Jamie: your password policy doesn't allow special characters
Jamie: alpha numeric only
Jamie: and twenty characters is too long?
Jamie: so what's the maximum length then?
Issy: That's correct Jamie. It would need to be within 8-16 characters. I'm aware it doesn't show this on the page
Jamie: Wow.
So yes, a 16 character alpha-numeric password worked. But this isn't the end of the story. Once I had logged into the BT website I checked to see if I could change my password to a longer one, and yes, I could! In fact there didn't seem to be limit to the length, but it still didn't like special characters. But that still isn't the end of the story, while writing this blog post I wanted to see if you could create a BT account outside of the order process. You can, and on that page once you enter an invalid password there is actually a helpful description of which special characters are allowed: "Only use numbers, letters and these special characters :!@#$%^&*()_+-=[]{};':",./?". Using these I was finally able to generate a long random password with special characters.

Bonus lolz

Remember how I said I was moving? Well during the order process I ticked the box to say that I wasn't yet living at the property, but I wasn't asked for a current postal address, where they would be able to send the confirmation details.
Jamie: do you know when/where the confirmation letter will be sent?
Issy: This would be to the address your service is to be connected
Jamie: but I'm not living there at the moment
Jamie: the current owners are
Issy: You may want to make them aware to expect the letter.
Jamie: Brilliant.