On yer bike, security: Santander cyclists forced to reset passwords

Santander Cycles is forcing all users to reset passwords, but is that a wise security move? Nicole Kobie asks the experts

When an email lands in my inbox saying I need to update a password, I assume that means the service has been hacked. 

And that's what I thought when Santander Cycles the London ride rental service perhaps better known as Boris Bikes  pinged me and other users a message saying it was time for a new password. 

Advertisement - Article continues below

"As part of our continuing security efforts, the next time you access your Santander Cycles account you will be prompted to reset your password," the message read. "We advise that you choose a different password in order to protect your personal details."

It also warned that I'd need a four-digit confirmation PIN sent to me next time I used the app, and directed me to a link to update my details. 

Now that latter point might have the security wary among you slamming your heads onto your desk in frustration, but we'll get to that in a moment (don't hurt yourselves in the meantime).

First, let's get to what a Transport for London spokeperson told me about the email: "We are asking customers to reset their passwords as part of our continuing security efforts. Occasional password resets are a common security precaution, and we thank our customers for their assistance."

Advertisement - Article continues below
Advertisement - Article continues below

I replied re-asking specifically if Boris Bikes had been hacked, targeted or had a zero-day flaw discovered, but have yet to hear back. 

While some data-sensitive corporation do force staff to come up with a new password every few months, that's the first time an online service has asked me. Why not reset passwords one-by-one when they hit a few months in age, rather than everyone at once?

Plus, my password is only a few weeks old, as I've only just signed up for the Santander Cycle app (which, by the way fellow Londoners, is fabulous and well worth installing to avoid having to use the in-person rental system).

I'm not the only one who finds it strange. "I would fundamentally disagree that 'occasional password resets are a common security precaution',"  independent security analyst Graham Cluley told me. "Their current explanation is unsatisfactory."

However, Cluley suggested a much more positive explanation: "I wonder if the site is strengthening the way it encrypts and hashes passwords, and that is the impetus behind the password reset."

Advertisement - Article continues below

Sean Sullivan, security advisor at F-Secure, agreed a bulk reset wasn't "standard" and that it could be hiding other changes. "It's possible that they've just decided to enhance the quality of their encryption," he said. "More likely they realised that they're storing the passwords in an unsecure format, or even worse, plain text." 

Hopefully there's a good reason behind the bulk reset, as they can be risky, Cluley pointed out. "Forcing users to change their passwords regularly actually increases the chances of poor security, unless there is good reason to believe the passwords may be weak or compromised," he said. "The reason is that if you ask users to change their passwords, they will often make bad choices, [such as] passwordjan, passwordfeb, passwordmar... rather than a hard-to-crack unique password."

In other words, a forced reset doesn't make much sense unless there's a real threat or serious benefit. 

Now onto that emailed link to account logins: it's widely accepted that it's not best practice to include a link to login embedded in emails, as it teaches people to trust email rather than go directly to the site leaving them at risk of phishing. 

Advertisement - Article continues below

"There certainly is a danger in making such an email look phishy with a clickable link, it would be better to ask users to visit the webpage and log in for themselves to reset their passwords," said Cluley. 

Regardless of the real reason behind the bulk reset, confusing your customers isn't good security practice. And I'm not the only one to notice the odd email, with other Boris Bike fans taking to Twitter to question the reset. 

One said: "Here's a tip, don't get users 'normalised' to clicking a link inside a request to reset their password."

"Password resets for all users are commonly the result of a security breech," another noted. "An announcement would be welcome."

Indeed, it would. Santander Cycles: on yer bike... back to security 101. 

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020

The top 12 password-cracking techniques used by hackers

12 Jun 2020