Wondering again about the passwords... April 3, 2007 3:01 PM   Subscribe

This sounds remarkably familiar. Is that why we can't change our passwords?
posted by dmd to Bugs at 3:01 PM (35 comments total)

Hey, if duplicate passwords aren't allowed, I call dibs on '8qivub9t9x8c'.

Oh wait.
posted by Rhomboid at 3:12 PM on April 3, 2007


Sorry, Rhomboid, that one's already taken.
posted by cortex (staff) at 3:18 PM on April 3, 2007


By, uh, someone else.
posted by cortex (staff) at 3:18 PM on April 3, 2007 [1 favorite]


No, that's not why. That story is one of the worst I've heard about passwords.
posted by mathowie (staff) at 3:27 PM on April 3, 2007


Seriously people this totally happened to a friend of mine!

Here's what you do send me your password and I’ll run it through my patented encryption index to verify that you're all clear. Also improves vitality!!! Makes You 2+4 inches longer… Great Rates Too!!!1!
posted by French Fry at 3:37 PM on April 3, 2007


The reason we can't change passwords is because it would enable people to have sock puppet passwords in addition to the sock puppet logins they already have.
posted by shmegegge at 3:39 PM on April 3, 2007


We can't change passwords because doing so is fundamentally insecure.
posted by Eideteker at 4:49 PM on April 3, 2007


We have a limited number of logins per day? We can't change passwords? This thread is full of new information for me.
posted by Mr.Encyclopedia at 5:50 PM on April 3, 2007


We can't change passwords because doing so is fundamentally insecure.

How so?
posted by bonaldi at 6:10 PM on April 3, 2007


Eideteker is onto something there. I believe that once a password is set, it should NEVER change, because then we got that fucker LOCKED DOWN and SECURED.

Besides, there's that 2.22 millisecond window after you've hit the "submit" button on the change password screen. You know, the window where the password-lurker-hackers are just WAITING to swoop down and GRAB that new password while it's on its way through the update process.

I have no idea how this stuff works, do I? I should take a class.
posted by disclaimer at 6:16 PM on April 3, 2007


I've always figured you can smoke out some dumb sock puppets by checking for identical passwords.
posted by smackfu at 6:26 PM on April 3, 2007


My password is just my username.
posted by eyeballkid at 6:35 PM on April 3, 2007


LOL_DRUGGIEZ
posted by orthogonality at 6:35 PM on April 3, 2007


Eideteker is onto something there. I believe that once a password is set, it should NEVER change, because then we got that fucker LOCKED DOWN and SECURED.

It's true. They're actually kept in individual safe deposit boxes down at the bank.
posted by cortex (staff) at 6:48 PM on April 3, 2007


When do I need my password? Oh, wait, people log out?
posted by typewriter at 7:01 PM on April 3, 2007


That's why they're a pain to change— Matt has to ride down to the bank on his bike, wait around, then switch the sheet of paper in the safe deposit box. It's, like, totally a waste of four or five hours at least.
posted by klangklangston at 7:06 PM on April 3, 2007


Eideteker

eponysterical, by the way, if properly pronounced.
posted by dmd at 7:06 PM on April 3, 2007


You just have to hit the shift key when you enter your preferences.
posted by Balisong at 7:28 PM on April 3, 2007


The only secure password is the one that has never been set.
posted by blue_beetle at 8:48 PM on April 3, 2007


So how about that openID support, mathowie? Because the concerns about the "rogue server" you have there are not really how openID works, ya know..

This could solve lots of bitching about the password changing, plus it would simply be cool.
posted by lodev at 1:25 AM on April 4, 2007


It's a wonder how these people even get jobs as developers.

Not just the people who initiated the tragedy, but Enrique and the other developers.

"Ohhh... umm... I guess you're right," was all the developer could muster. "But then we'd have to change every table to use a username as the foreign key, maybe even apply constraints on the server, and change the token each user carries throughout the application to be their username!" It was a major change, but Enrique insisted they do the work.

Hows about this for a solution...
You make sure that on account creation the current password field is a unique string; you add a new password field, and you change the login functions to use that new password field.

Hey presto - No need to trawl through the whole codebase screwing everything up. Minimal impact on the database and the applications.

Idiots.
posted by seanyboy at 2:29 AM on April 4, 2007


That should be ... "You make sure that on account creation the current password field is an automatically generated unique string"
posted by seanyboy at 2:35 AM on April 4, 2007


Unbelievable. I've been mentally pronouncing Eideteker as eye-detector.
posted by hoverboards don't work on water at 2:57 AM on April 4, 2007


eye-detector

I'd been pronouncing it eye-dee-tecker. Isn't that how it's supposed to be pronounced? I don't see the eponystericality.
posted by lostburner at 3:37 AM on April 4, 2007


i pronounce it "too much high hat".
posted by quonsar at 4:20 AM on April 4, 2007


I've always thought of it as Eyed-Tecker.

What?
posted by PuGZ at 6:11 AM on April 4, 2007


I was pronouncing it as 'ID taker', but now the joke's dead.
posted by dmd at 6:37 AM on April 4, 2007


METAFILTER CHEAT CODES

infinite snarks: up, up, up, down, down, down, left, right, left, right, a, b, a, b, submit.

free sockpuppet: hold a, left, right, left, right, down, left, up, right, submit.

banhammer: a, a, b, b, a, a, down, left, right, up, submit.

img tag: right, up, left, down, down, left, up, right, a, b, a, b, submit.

posted by Terminal Verbosity at 6:45 AM on April 4, 2007


right, up, left down, down, left, up, right, a, b, a, b, summit.

[img alt="ceiling cat is watching you enter your password"]
posted by drezdn at 7:05 AM on April 4, 2007


Did it work?
posted by drezdn at 7:05 AM on April 4, 2007


You ruined my drywall.
posted by dmd at 8:09 AM on April 4, 2007


"eponysterical, by the way, if improperly pronounced."

Fixed that for ya!

And, as I've said time and time again, "Eideteker" is pronounced "N@".
posted by Eideteker at 4:33 PM on April 4, 2007


I just set all my passwords to "abc123". See, it's so insecure, it's secure! Nobody would believe that anyone would actually make that their password, so they'll be busy guessing d#p3C8oi1*3Oq while I'm over here with "abc123".
posted by Many bubbles at 12:15 AM on April 6, 2007


No you don't.
posted by bonaldi at 6:06 AM on April 6, 2007


Yes, they do.

*runs*
posted by Many bubbles at 11:36 AM on April 6, 2007


« Older Good charity keeps plugging along   |   Price fixing guidelines? Newer »

You are not logged in, either login or create an account to post comments