Password isn't strong enough

How do you know? Are passwords stored in your database in plain text without any encryption?

No, your password isn’t strong enough if it is too short or lacks complexity.
The shorter it is the more likely it can be broken with a brute force attack.
The most common passwords in the UK include
Password, 123456, letmein l etc.

The middle password would take a decent specced computer a couple of minutes to break in a brute force attack. The passwords either side can be broken quickly with a dictionary attack.

These two forms of attack don’t rely on the encryption on bulbs end, but simply a computer program is trying thousands of combinations a minute for the right one. The encryption on bulbs end obscures passwords that if their database ever got compromised the passwords wouldn’t be immediately visible to an attacker.

For a strong password it should be 8 or more characters, have letters, numbers, special characters and capital letters.

@ryan4257 when did you get this notification?

I’m assuming it was at the point of a password change, and so the complexity check is handled by client-side code (most likely Javascript) running on your local machine. Even so, the check could still be done server-side since the plain text password is sent over a secure connection and is still available in plain text by the server at that point to enable a check to be done.

The complexity check is done as @FromTheValleys describes based simply on length and number of different character types.

None of this affects, or gives any indication, of how the password is later stored.

I got it after logging in, displayed on the home page.
That’s what made me wonder. I guess they could be checking it when its submitted at login?
My worry is they’ve done a mass password check on the database, and if its stored encrypted they wouldn’t know how long or secure it might be?

Interesting. Yes the plain text would be available to alert immediately after login. If you’d had this notification by email, that would be worrying.

There’s not enough information available here to comment on how Bulb store confidential data.

I had the same message about my password not being strong enough after I logged in.

Given that I haven’t changed my password for a long time, and that this is a new message that appears in all of my devices and browsers, perhaps Bulb is storing the plaintext of passwords in the backend or they are checking the passwords at the client before transmission. You would have to check the JavaScipt to know. My password for Bulb is weak but it may also show that Bulb has an insecure system. This is very, very common.

My passwords for some of my accounts appear on databases of cracked passwords on the internet. This is owing to lapses in security of the companies that store them, not my password strength. It also shows why sharing passwords between websites is a bad idea.

I now use an automated password manager (Bitwarden) for all of my passwords. Each of my new passwords is unique and generated for me. Thus it protects me when the website is hacked: I am only exposed for that one website and I have strong passwords everywhere.

That was my concern, that they’re storing it plain text.
I probably should use a password manager, but it’s always a nuisance across devices.
Especially when I’d use the internet at work, and don’t usually have permissions to install stuff.

It could still be done after transmission on the server, before the server hashes it to compare with the stored version. None of this implies that they’re storing passwords in plain text.

The fact that the message comes up immediately after login implies that the above is what is happening. If it was a random email non-coincident with a successful login attempt, that would be more worrying.

In the end I can’t control how they do any of this. I either accept what they do and use their service or I don’t.

I can control what password I choose. After previous experiences of providers disclosing my password, I assume that disclosure will happen, or has happened.

By having a unique random password for each provider I have limited my exposure to that one provider. By entering the least amount of personal information in any system I limit exposure of my personal information too.

1 Like