Analysis

On yer bike, security: Santander cyclists forced to reset passwords

Santander Cycles is forcing all users to reset passwords, but is that a wise security move? Nicole Kobie asks the experts

When an email lands in my inbox saying I need to update a password, I assume that means the service has been hacked. 

And that's what I thought when Santander Cycles the London ride rental service perhaps better known as Boris Bikes  pinged me and other users a message saying it was time for a new password. 

Advertisement - Article continues below

"As part of our continuing security efforts, the next time you access your Santander Cycles account you will be prompted to reset your password," the message read. "We advise that you choose a different password in order to protect your personal details."

It also warned that I'd need a four-digit confirmation PIN sent to me next time I used the app, and directed me to a link to update my details. 

Now that latter point might have the security wary among you slamming your heads onto your desk in frustration, but we'll get to that in a moment (don't hurt yourselves in the meantime).

First, let's get to what a Transport for London spokeperson told me about the email: "We are asking customers to reset their passwords as part of our continuing security efforts. Occasional password resets are a common security precaution, and we thank our customers for their assistance."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

I replied re-asking specifically if Boris Bikes had been hacked, targeted or had a zero-day flaw discovered, but have yet to hear back. 

While some data-sensitive corporation do force staff to come up with a new password every few months, that's the first time an online service has asked me. Why not reset passwords one-by-one when they hit a few months in age, rather than everyone at once?

Plus, my password is only a few weeks old, as I've only just signed up for the Santander Cycle app (which, by the way fellow Londoners, is fabulous and well worth installing to avoid having to use the in-person rental system).

I'm not the only one who finds it strange. "I would fundamentally disagree that 'occasional password resets are a common security precaution',"  independent security analyst Graham Cluley told me. "Their current explanation is unsatisfactory."

However, Cluley suggested a much more positive explanation: "I wonder if the site is strengthening the way it encrypts and hashes passwords, and that is the impetus behind the password reset."

Advertisement - Article continues below

Sean Sullivan, security advisor at F-Secure, agreed a bulk reset wasn't "standard" and that it could be hiding other changes. "It's possible that they've just decided to enhance the quality of their encryption," he said. "More likely they realised that they're storing the passwords in an unsecure format, or even worse, plain text." 

Hopefully there's a good reason behind the bulk reset, as they can be risky, Cluley pointed out. "Forcing users to change their passwords regularly actually increases the chances of poor security, unless there is good reason to believe the passwords may be weak or compromised," he said. "The reason is that if you ask users to change their passwords, they will often make bad choices, [such as] passwordjan, passwordfeb, passwordmar... rather than a hard-to-crack unique password."

In other words, a forced reset doesn't make much sense unless there's a real threat or serious benefit. 

Now onto that emailed link to account logins: it's widely accepted that it's not best practice to include a link to login embedded in emails, as it teaches people to trust email rather than go directly to the site leaving them at risk of phishing. 

Advertisement - Article continues below

"There certainly is a danger in making such an email look phishy with a clickable link, it would be better to ask users to visit the webpage and log in for themselves to reset their passwords," said Cluley. 

Regardless of the real reason behind the bulk reset, confusing your customers isn't good security practice. And I'm not the only one to notice the odd email, with other Boris Bike fans taking to Twitter to question the reset. 

One said: "Here's a tip, don't get users 'normalised' to clicking a link inside a request to reset their password."

"Password resets for all users are commonly the result of a security breech," another noted. "An announcement would be welcome."

Indeed, it would. Santander Cycles: on yer bike... back to security 101. 

Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/privacy/355211/google-releases-location-data-to-showcase-effectiveness-of-coronavirus
privacy

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

2 Apr 2020