On yer bike, security: Santander cyclists forced to reset passwords

When an email lands in my inbox saying I need to update a password, I assume that means the service has been hacked.

And that's what I thought when Santander Cycles the London ride rental service perhaps better known as Boris Bikes pinged me and other users a message saying it was time for a new password.

"As part of our continuing security efforts, the next time you access your Santander Cycles account you will be prompted to reset your password," the message read. "We advise that you choose a different password in order to protect your personal details."

It also warned that I'd need a four-digit confirmation PIN sent to me next time I used the app, and directed me to a link to update my details.

Now that latter point might have the security wary among you slamming your heads onto your desk in frustration, but we'll get to that in a moment (don't hurt yourselves in the meantime).

First, let's get to what a Transport for London spokeperson told me about the email: "We are asking customers to reset their passwords as part of our continuing security efforts. Occasional password resets are a common security precaution, and we thank our customers for their assistance."

I replied re-asking specifically if Boris Bikes had been hacked, targeted or had a zero-day flaw discovered, but have yet to hear back.

While some data-sensitive corporation do force staff to come up with a new password every few months, that's the first time an online service has asked me. Why not reset passwords one-by-one when they hit a few months in age, rather than everyone at once?

Plus, my password is only a few weeks old, as I've only just signed up for the Santander Cycle app (which, by the way fellow Londoners, is fabulous and well worth installing to avoid having to use the in-person rental system).

I'm not the only one who finds it strange. "I would fundamentally disagree that 'occasional password resets are a common security precaution'," independent security analyst Graham Cluley told me. "Their current explanation is unsatisfactory."

However, Cluley suggested a much more positive explanation: "I wonder if the site is strengthening the way it encrypts and hashes passwords, and that is the impetus behind the password reset."

Sean Sullivan, security advisor at F-Secure, agreed a bulk reset wasn't "standard" and that it could be hiding other changes. "It's possible that they've just decided to enhance the quality of their encryption," he said. "More likely they realised that they're storing the passwords in an unsecure format, or even worse, plain text."

Hopefully there's a good reason behind the bulk reset, as they can be risky, Cluley pointed out. "Forcing users to change their passwords regularly actually increases the chances of poor security, unless there is good reason to believe the passwords may be weak or compromised," he said. "The reason is that if you ask users to change their passwords, they will often make bad choices, [such as] passwordjan, passwordfeb, passwordmar... rather than a hard-to-crack unique password."

In other words, a forced reset doesn't make much sense unless there's a real threat or serious benefit.

Now onto that emailed link to account logins: it's widely accepted that it's not best practice to include a link to login embedded in emails, as it teaches people to trust email rather than go directly to the site leaving them at risk of phishing.

"There certainly is a danger in making such an email look phishy with a clickable link, it would be better to ask users to visit the webpage and log in for themselves to reset their passwords," said Cluley.

Regardless of the real reason behind the bulk reset, confusing your customers isn't good security practice. And I'm not the only one to notice the odd email, with other Boris Bike fans taking to Twitter to question the reset.

One said: "Here's a tip, don't get users 'normalised' to clicking a link inside a request to reset their password."

"Password resets for all users are commonly the result of a security breech," another noted. "An announcement would be welcome."

Indeed, it would. Santander Cycles: on yer bike... back to security 101.