Since late last year I’ve been going through a process of adding complex, long and individual passwords to all my online accounts. I’m still doing it, albeit the less important accounts. Today I looked at bt.com. I don’t use them but still have an account set up from when I used to use them.

Now, by default, I try and use a 50 character randomised passwords, complete with numbers and symbols, which is generated by 1Password. Some sites have length limits so this, sometimes, need adjusting. The BT account page lists no such limitations, so what could go wrong?

ADVERTISEMENT

Their page does list the following but they all seem pretty sensible. …

  • Needs to be at least 8 characters long, with a mix of letters and numbers.
  • Can’t be a common phrase or sequence such as ‘password’, ‘letmein’, ‘1234’.
  • Can’t be a previous password.

So I generate my password and…

It’s apparently ‘weak’. Wow, that’s some security they have there. Except that yellow box  doesn’t suggest I’ve done anything wrong. Note the confirmation box at the bottom is greyed out – until I supply a new password that is not weak I can’t use it.

However, also note that the message says “letters and numbers”. Not symbols. So I generate a new 50 character password, now sans symbols and, voila, it works. So, symbols don’t work but BT don’t mention that. Not only that but by using an invalid character they deem your password, bizarrely, as “weak”.

I turn to Twitter to let BT know.

Wait. What? My password it TOO long (except, of course, it wasn’t). Is this really the advice that BT is giving out?

They then direct me to a link on their site giving password advice. It says nothing about any kind of maximum length for passwords, which I then mention.

Great link then. I’m not sure how this progresses anything. In the meantime, I have highlighted, more than once, that the issue here is that use of symbols seems to be considered as “weak” on their site but with no explanation. But they seem unconcerned about this.

And, the above Tweet from BT Care is where they leave it. They don’t accept symbols (or, at least, certain symbols) but blame me for having a password too long.

Well played BT, well played.

Update

The security expert Troy Hunt re-tweeted BTs response to me…

That seemed to do the trick as I then got a message from BT asking for a phone number so they could get in touch.

I round of private messages ensued, where BT really didn’t seem to get the issue. First they wanted to know why I was accessing my account when I was no longer a customer and then they asked me if they could just delete the account.

Ok, I think there’s been a misunderstanding here (which my website post tried to rectify). I’ve changed my password. I’m happy. It’s 50 characters long (which isn’t *too* long).

HOWEVER, all I’m reporting to you is that your password change page told me my password was ‘weak’, without giving me any reason for it. It turns out that by removing symbols from my password it was acceptable. It’s still 50 characters long.

So, this is what’s wrong…

  1. You don’t accept (some or all) symbols in password but your page doesn’t state this. It should, to avoid confusion.
  2. When an invalid character is used in a password you shouldn’t state that it’s “weak” if it’s not (50 randomised characters is not a weak password).

It would also be good if BT Care didn’t tell people that long, secure passwords were ‘too long’. Good security should be promoted.

At this point they, finally got it, and will pass on my recommendations to the appropriate team. Hallelujah.

Now, I’d like to say this was the end of this but it didn’t stop there, as I had an interesting down-side from Troy Hunt’s Tweet.

This guy is also involved with security but, for reasons unbeknown to me, felt the need to suggest my password length was overkill. Discussion between us ensued, in which he didn’t really give much evidence other than the fact that a random, short password was secure enough that longer wasn’t needed (hardly the point I was trying to make).

And because I see Troy as the best person for security advice, I asked…

Let’s leave it at that.

The thing is 12 random characters may be stupidly secure now but what about the future? I really don’t fancy setting everything at 12 characters now and then, a couple of years down the line, having to make them more secure. So I use 50 characters.