Purely a guess but I think they only allow for numbers because it's a phone company. If they intend for people to enter their password/pin on their mobile phone then limiting it to only digits that you can type from any phone is understandable. Now I'm not saying it's a good idea but at least there is some sense to it.

In no particular order my usual gripes with passwords and auth in general are:

    * Disabling clipboard copy/paste (because now I can't use my password manager)
    * Length limitations (anything less than 32 characters is a a limitation)
    * Requiring punctuation or "special characters" (they're annoying and don't add real security ... just use a longer password)
    * Lack of two-factor (preferably TOTP)

The password limit is really the scariest one. Short passwords are much easier to crack. Also, I have a sinking feeling that every site that says a password must be a specific max length is storing it in plaintext. Otherwise why the heck would it matter what the length is?

Huh. I never actually did the math before, but: there's 32 symbols on my (US) keyboard. Upper+lower+number gives a baseline 62 characters. This gives us a password space for brute force attacks of

    10 char alphanum: 62^10, or 8.4e17
    10 char alnumsym: 94^10, or 5.4e19
    11 char alphanum: 62^11, or 5.2e19

One extra character instead of needing to type symbols into my phone, with nearly identical complexity? Sounds good to me.

I have Virgin Mobile in the US (it's one of the cheapest options with good quality phones), and it seems the same. It made me set a 6-digit PIN as my password, and my phone number is my username. Here are the requirements listed on their website:

Your Account PIN must be:

-6 numbers (no letters or special characters)

-no more than 3 identical numbers in a row (222)

-no more than 3 sequential numbers (such as 234)

If I did the math right, that's approximately 900,000 possible passwords, which is obviously really low

Yeah, I wrote about this a few years ago and got a lot of press for it. They didn't really fix it, but at least they started rate limiting by IP address. https://kev.inburke.com/kevin/open-season-on-virgin-mobile-c...

Is rate limiting by IP the best way to handle something like this (other than the obvious, allowing better passwords)? You could obviously rate limit by account, but then you make it easy for anyone to lock anyone else out of their account. And obviously rate limiting by cookies as mentioned is awful.

There's no great way to "handle" something like this besides modifying the protocol to be less vulnerable.

This is funny because these restrictions reduce the total number of possibilities. I get that the idea was to stop commonly used passwords, but that's what they should have done - disallowed the top N common ones.

Phew. Dodged the bullet on forbidding vertical and diagonal strobes of the keypad.

Given that they've requested you to change password to conform to the new rule, I believe you were within these 99%? ;)

No, it could have just been random. They've reduced their keyspace massively by doing that. Six characters, all numbers, no ascending or descending. 123849 is invalid as an example, as is 954391.

Massively? For every 3 digits you look at, they're only blocking about 26 out of 1000 possible values. Factor in that there are 4 starting points to apply the restriction to, and you get roughly 10% of passwords being blocked. That's only a sixth of a bit of entropy being lost. Barely anything.

so 741963 would pass? Not sure how that rule your stated actually functions, I am probably over thinking it.

I am curious what simple pattern people will adapt to once you eliminate simple sequences. It has got to be predictable, as in someone could put math behind it.

Any run of three characters in sequence, forward or reverse, is marked as invalid. 123 876 432 would all mark the whole password as invalid, even if they only take up half the string. Yours would pass though, yes.

His is two vertical runs along the keypad. The forbidden ones are horizontal runs. That's why it's stupid. Any modeling of passwords humans would generate for use on a keypad should forbid 741 by the same logic that forbids 123.

My guess (with nothing to back it up) is people will start moving into paterns of 963 852 741 or the reverse since they're easy to type on the numpad without really remembering the values.

edit: On second look, that's exactly what you did in your example.

Date of birth probably. Now half of their passwords has 19xx in the same position.

I'm of the opinion that everybody should be given public and private key at birth.

It's called name and social security number :)

But those are both public

Demons have name and secret name. They figured it out.

That sounds like a much better security fix than allowing the full range of alphanumeric characters + symbols.

Same goes for Virgin Mobile France.