Here is part of what TalkTalk’s statement about the incident said:
we believe that some of our mobile customers’ data may have been accessed by the criminals. This includes customers’ names, addresses, dates of birth, bank details and other personal and TalkTalk account information.
For some of the affected customers, this may have also included their My Account username and passwords – for these customers, we have already suspended their accounts until they can reset their password.
We take our customers’ security very seriously, and we’ve already put in place additional security measures to prevent further attacks. We’ve also sent an email to all customers who we believe could have been impacted by this issue.
As a result, you would hope by now that TalkTalk customers have changed their passwords, choosing something unique, and hard-to-crack.
Of course, having a unique, complex password for every website which you access is the most sensible way to run your online accounts, and that’s why you should probably use a password manager to remember all your passwords for you and store them securely.
All sounds good so far.
But, alas, TalkTalk (like British Gas before it) clearly isn’t entirely onboard with the notion of password managers.
Because TalkTalk’s website actively prevents you from you cutting-and-pasting a complex password into its login form.
Yes, if you have a really complicated and unmemorable password for your TalkTalk account like 7X(YrLgV(LfyMNr0IhTOih`qG, the website is going to insist that you type it in manually.
The end result? Users will find they make mistakes, and end up choosing dumb, non-unique, easier-to-guess or easier-to-crack passwords instead. :(
TalkTalk has achieved this by inserting a short line of code into its web form, preventing the pasting of a password into a form.
Worse still, TalkTalk’s customer care team is trying to convince its customers that this is actually good for security and “standard practice”.
Other Twitter users seem pretty unimpressed with TalkTalk’s decision too.
@gcluley @TalkTalkCare Is it safer for me to remember a ~10 char pass I'll probably re-use, or generate a 30+ char unique pass per site?
— Tom Salmon (@SalmonLogs) September 1, 2015
Now, there might be a legitimate reason to prevent users from pasting in passwords if the site is attempting some type of keyboard biometrics, but I don’t think TalkTalk is attempting anything so sophisticated.
It’s a real shame to see a company not helping its customer use safer passwords, especially in the wake of a data breach. Let’s hope they get a clue and see sense soon.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.