Analysis

On yer bike, security: Santander cyclists forced to reset passwords

Santander Cycles is forcing all users to reset passwords, but is that a wise security move? Nicole Kobie asks the experts

When an email lands in my inbox saying I need to update a password, I assume that means the service has been hacked. 

And that's what I thought when Santander Cycles the London ride rental service perhaps better known as Boris Bikes  pinged me and other users a message saying it was time for a new password. 

"As part of our continuing security efforts, the next time you access your Santander Cycles account you will be prompted to reset your password," the message read. "We advise that you choose a different password in order to protect your personal details."

It also warned that I'd need a four-digit confirmation PIN sent to me next time I used the app, and directed me to a link to update my details. 

Advertisement
Advertisement - Article continues below

Now that latter point might have the security wary among you slamming your heads onto your desk in frustration, but we'll get to that in a moment (don't hurt yourselves in the meantime).

First, let's get to what a Transport for London spokeperson told me about the email: "We are asking customers to reset their passwords as part of our continuing security efforts. Occasional password resets are a common security precaution, and we thank our customers for their assistance."

I replied re-asking specifically if Boris Bikes had been hacked, targeted or had a zero-day flaw discovered, but have yet to hear back. 

While some data-sensitive corporation do force staff to come up with a new password every few months, that's the first time an online service has asked me. Why not reset passwords one-by-one when they hit a few months in age, rather than everyone at once?

Plus, my password is only a few weeks old, as I've only just signed up for the Santander Cycle app (which, by the way fellow Londoners, is fabulous and well worth installing to avoid having to use the in-person rental system).

I'm not the only one who finds it strange. "I would fundamentally disagree that 'occasional password resets are a common security precaution',"  independent security analyst Graham Cluley told me. "Their current explanation is unsatisfactory."

However, Cluley suggested a much more positive explanation: "I wonder if the site is strengthening the way it encrypts and hashes passwords, and that is the impetus behind the password reset."

Sean Sullivan, security advisor at F-Secure, agreed a bulk reset wasn't "standard" and that it could be hiding other changes. "It's possible that they've just decided to enhance the quality of their encryption," he said. "More likely they realised that they're storing the passwords in an unsecure format, or even worse, plain text." 

Hopefully there's a good reason behind the bulk reset, as they can be risky, Cluley pointed out. "Forcing users to change their passwords regularly actually increases the chances of poor security, unless there is good reason to believe the passwords may be weak or compromised," he said. "The reason is that if you ask users to change their passwords, they will often make bad choices, [such as] passwordjan, passwordfeb, passwordmar... rather than a hard-to-crack unique password."

In other words, a forced reset doesn't make much sense unless there's a real threat or serious benefit. 

Advertisement
Advertisement - Article continues below

Now onto that emailed link to account logins: it's widely accepted that it's not best practice to include a link to login embedded in emails, as it teaches people to trust email rather than go directly to the site leaving them at risk of phishing. 

"There certainly is a danger in making such an email look phishy with a clickable link, it would be better to ask users to visit the webpage and log in for themselves to reset their passwords," said Cluley. 

Regardless of the real reason behind the bulk reset, confusing your customers isn't good security practice. And I'm not the only one to notice the odd email, with other Boris Bike fans taking to Twitter to question the reset. 

One said: "Here's a tip, don't get users 'normalised' to clicking a link inside a request to reset their password."

"Password resets for all users are commonly the result of a security breech," another noted. "An announcement would be welcome."

Indeed, it would. Santander Cycles: on yer bike... back to security 101. 

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019