Analysis

On yer bike, security: Santander cyclists forced to reset passwords

Santander Cycles is forcing all users to reset passwords, but is that a wise security move? Nicole Kobie asks the experts

When an email lands in my inbox saying I need to update a password, I assume that means the service has been hacked. 

And that's what I thought when Santander Cycles the London ride rental service perhaps better known as Boris Bikes  pinged me and other users a message saying it was time for a new password. 

"As part of our continuing security efforts, the next time you access your Santander Cycles account you will be prompted to reset your password," the message read. "We advise that you choose a different password in order to protect your personal details."

It also warned that I'd need a four-digit confirmation PIN sent to me next time I used the app, and directed me to a link to update my details. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Now that latter point might have the security wary among you slamming your heads onto your desk in frustration, but we'll get to that in a moment (don't hurt yourselves in the meantime).

First, let's get to what a Transport for London spokeperson told me about the email: "We are asking customers to reset their passwords as part of our continuing security efforts. Occasional password resets are a common security precaution, and we thank our customers for their assistance."

I replied re-asking specifically if Boris Bikes had been hacked, targeted or had a zero-day flaw discovered, but have yet to hear back. 

While some data-sensitive corporation do force staff to come up with a new password every few months, that's the first time an online service has asked me. Why not reset passwords one-by-one when they hit a few months in age, rather than everyone at once?

Plus, my password is only a few weeks old, as I've only just signed up for the Santander Cycle app (which, by the way fellow Londoners, is fabulous and well worth installing to avoid having to use the in-person rental system).

I'm not the only one who finds it strange. "I would fundamentally disagree that 'occasional password resets are a common security precaution',"  independent security analyst Graham Cluley told me. "Their current explanation is unsatisfactory."

Advertisement - Article continues below

However, Cluley suggested a much more positive explanation: "I wonder if the site is strengthening the way it encrypts and hashes passwords, and that is the impetus behind the password reset."

Sean Sullivan, security advisor at F-Secure, agreed a bulk reset wasn't "standard" and that it could be hiding other changes. "It's possible that they've just decided to enhance the quality of their encryption," he said. "More likely they realised that they're storing the passwords in an unsecure format, or even worse, plain text." 

Hopefully there's a good reason behind the bulk reset, as they can be risky, Cluley pointed out. "Forcing users to change their passwords regularly actually increases the chances of poor security, unless there is good reason to believe the passwords may be weak or compromised," he said. "The reason is that if you ask users to change their passwords, they will often make bad choices, [such as] passwordjan, passwordfeb, passwordmar... rather than a hard-to-crack unique password."

In other words, a forced reset doesn't make much sense unless there's a real threat or serious benefit. 

Advertisement
Advertisement - Article continues below

Now onto that emailed link to account logins: it's widely accepted that it's not best practice to include a link to login embedded in emails, as it teaches people to trust email rather than go directly to the site leaving them at risk of phishing. 

"There certainly is a danger in making such an email look phishy with a clickable link, it would be better to ask users to visit the webpage and log in for themselves to reset their passwords," said Cluley. 

Advertisement - Article continues below

Regardless of the real reason behind the bulk reset, confusing your customers isn't good security practice. And I'm not the only one to notice the odd email, with other Boris Bike fans taking to Twitter to question the reset. 

One said: "Here's a tip, don't get users 'normalised' to clicking a link inside a request to reset their password."

"Password resets for all users are commonly the result of a security breech," another noted. "An announcement would be welcome."

Indeed, it would. Santander Cycles: on yer bike... back to security 101. 

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/cloud-computing/354767/google-cloud-snaps-up-multi-cloud-analytics-platform-for-26bn
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/cloud/microsoft-azure/354771/microsoft-azure-is-a-testament-to-satya-nadellas-strategic-nouse
Microsoft Azure

Microsoft Azure is a testament to Satya Nadella’s strategic nouse

14 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020