Improve Account Security With This One Weird Trick (Hackers Hate It) April 22, 2015 1:37 PM   Subscribe

We've improved password security on Metafilter. So, hey, update your password!

If you're a regular Metatalk reader you may have seen our post last week about testing the new system, and a bunch of folks helped out by jumping in. Everything went well (and we caught and fixed an issue with Chat in the process) so now we're ready to shout to the hilltops about it.

We don't have any specific site security concerns at the moment, and the previous password regime wasn't bad, but there was room for improvement and so we've gone ahead and moved to this new system just to be prepared. New accounts will use it by default; existing users will need to do a password change to take advantage of it.

Changing your password will upgrade you to the new, more robust system, no other action required. You do need to know your current password to change your password, so if you've forgotten it you'll want to request a password reset email; make sure your email address in your Preferences is current so that the email will get to you. (Heck, make sure your email address is current even if you don't need a reset email. It helps makee sure we can contact you about site stuff in general.)

After you've changed your password, you'll need to log out and back in to Metafilter on any other devices you use. That's a normal part of the password update process here.

If you have any trouble with the process, you can also get help from the mods via the contact form and/or let us know in here.
posted by cortex to MetaFilter-Related at 1:37 PM (76 comments total) 3 users marked this as a favorite

in b4 "hunter2"
posted by the man of twists and turns at 1:39 PM on April 22, 2015 [13 favorites]


I assume that if I change my password, then change it *back*, it'll still be more secure but I can basically keep my password?
posted by jaguar at 1:47 PM on April 22, 2015 [3 favorites]


That is correct, jaguar.
posted by cortex (staff) at 1:47 PM on April 22, 2015 [5 favorites]


I use LastPass, so I changed my password for this account and my jokey sock puppet, "butt elephant" to something far more secure that I do not now know (LastPass does though). Yay!
posted by kalessin at 1:49 PM on April 22, 2015 [2 favorites]


the man of twists and turns:
in b4 "*******"

Huh?
posted by Gymnopedist at 1:51 PM on April 22, 2015 [31 favorites]


Google "password hunter2".

Essentially it's from a meme/story/allegory about a person in IRC getting trolled into sharing her/his password, "hunter2".
posted by kalessin at 1:57 PM on April 22, 2015 [1 favorite]


I don't hate secure passwords. I guess I'm not that kind of a hacker. But maybe we can not be all negative about hackers (hacker culture is a big tent) when we really mean computer criminals?

Not a big deal, of course. Just something that I noticed. And yes, I've updated my password, thanks for the security upgrade!
posted by Too-Ticky at 2:19 PM on April 22, 2015 [1 favorite]


I will heartily clarify that the post title refers only to the bad hackers, the nasty crackers, the bot-army barbarians and the exploit exploiters and the malicious script-kiddies scheming in the gloaming.
posted by cortex (staff) at 2:24 PM on April 22, 2015 [17 favorites]


Thank you so much. I'm much relieved to hear this. If you ever make it to the Low Lands, do drop by to come and see our hackerspace. We have more Club Mate than you can shake a soldering iron at (and that's just one of the brands we serve).
posted by Too-Ticky at 2:29 PM on April 22, 2015


If I changed it after the last thread, but before this one, am I good to go?
posted by Rustic Etruscan at 2:34 PM on April 22, 2015


If I changed it after the last thread, but before this one, am I good to go?

Yep, if you did a password change after we posted the test thread last week, you're already all set and also a pretty cool person.
posted by cortex (staff) at 2:36 PM on April 22, 2015


in b4 "*******"

lol, yes. See, when YOU type hunter2, it shows to us as *******
posted by entropicamericana at 2:38 PM on April 22, 2015 [3 favorites]


trying... to... overcome... laziness... failing...
posted by Justinian at 2:45 PM on April 22, 2015 [6 favorites]


was that a test thread to see how it would work on the back end or to test if we would care enough to try? or both
posted by poffin boffin at 2:45 PM on April 22, 2015


When you add "or both" to the end of a question-or-question construction like that you rob me of chance to respond with "yes". There's a dad inside me, yearning to make dad jokes, but you're killing him. You're killing Inside Dad.
posted by cortex (staff) at 2:48 PM on April 22, 2015 [41 favorites]


VO:
The story you are about to read is true. Only the names have been changed to protect the innocent.

Joe 'Cortex' Friday:
This is the city. Portland, Oregon. I work here... I'm a mod.

(Dragnet theme)

It was Wednesday, April 22nd. It was raining in Portland. We were working bunko, flushing out the bad hackers, the nasty crackers, the bot-army barbarians, the exploit exploiters, the malicious script-kiddies scheming in the gloaming. Don't think any of 'em have come up with a new angle. There's nothing new about being a hacker; the state prison's full of 'em.

Let me tell you about one of them. The first time I met him he was 16. His name is Jim. He went to school in Tigard. We picked him up for shoplifting computer parts. We talked to his parents; seemed like a nice family, so we let him go.

A couple of months later we picked him up again. He was downloading warez. They put him on probation. It looked like he was going to straighten out. He didn't.

A couple of weeks later the owner of Fry's picked him out of a lineup. He'd held up the store with a .22 rifle his father had given him for his birthday. I didn't see much of him after that; that was eight years ago. But I know he put in two years with the Oregon Youth Authority.

He got out and went home. His Computer Club buddies from high school were all in college, reduced to hanging out in 4chan, or thinking about getting married; and they didn't want to have much to do with him. Most people don't like to be around hackers. The only people who'd associate with them are other hackers. And when hackers get together they've only got one thing in mind: to steal something from somebody online.

They tried their hand at hacking a banking website. They didn't make it--but they did manage to fry the server.

Jim's up at San Quentin now; he's 25. He's spent one-third of his life in jail, relegated to no more than an old Gameboy. His lawyers are trying to get the sentence commuted to life with the Amish - he'll never see the Internet again.
posted by Greg_Ace at 2:49 PM on April 22, 2015 [20 favorites]


swordfish
posted by The Great Big Mulp at 2:57 PM on April 22, 2015 [1 favorite]


I can't log into chat via Apple Messages on my Mac.
posted by double block and bleed at 3:03 PM on April 22, 2015


It's checking out ok for me on Apple Messages. I'm on Messages 8/OS X 10.9.5.

Have you logged in successfully before? Setting up a 3rd party chat client can be a little tricky—especially since you have spaces in your username. Here's the FAQ with chat setup instructions.
posted by pb (staff) at 3:13 PM on April 22, 2015


the bot-army barbarians

I read that as "the bot-army librarians" and wondered what the hell cortex and jessamyn were up to.
posted by Johnny Wallflower at 3:28 PM on April 22, 2015 [3 favorites]


Might be nice to have a clickable link in this post too, not just the previous one.
posted by misterbrandt at 3:30 PM on April 22, 2015


Thanks very much! I changed my password, so I'm apologizing in advance for all of the incorrect logins I'll be making for the next few days. Weeks. Months. You know. Sorry!
posted by kimberussell at 3:31 PM on April 22, 2015


pb: "It's checking out ok for me on Apple Messages. I'm on Messages 8/OS X 10.9.5.

Have you logged in successfully before? Setting up a 3rd party chat client can be a little tricky—especially since you have spaces in your username. Here's the FAQ with chat setup instructions.
"

It worked a couple weeks ago when I last used it. I'll play around with it some more. Or switch back to Adium.
posted by double block and bleed at 3:39 PM on April 22, 2015


...and now it works. I'm going to chalk that up to my thready uverse connection. Sorry for the trouble!
posted by double block and bleed at 3:41 PM on April 22, 2015


Thanks for the update—no problem, glad it's working.
posted by pb (staff) at 3:45 PM on April 22, 2015


> After you've changed your password, you'll need to log back in to Metafilter on any other devices you use. That's a normal part of the password update process here.

Except this seems not to be the case: the user cookies I had on my phone (ancient Android), iPad (iOS 8.01), and in elinks (0.11.7) from before I changed my password are all still working after changing my password -- and logging out & back in to confirm it -- on my mac.
posted by Westringia F. at 4:01 PM on April 22, 2015


The site might be able to identify who you are with your old cookies, but you should be prompted to log in when you try to add a comment on those devices.
posted by pb (staff) at 4:07 PM on April 22, 2015


Oh, OK then. As soon as I'm in front of a PC and robust enough to hit myself with a $5 rubber hose to re-learn my old pw I'll change it to "trustno1” or somesuch. Happy?

Thanks to pb for the effort put in and cortex for the clearly-required (in my case) chivvying.
posted by comealongpole at 4:15 PM on April 22, 2015


Confirmed! But it will eat your comment when it pushes you over to the login page, which is some very unfortunate behavior.

(It also returns you to the FP, rather than whatever thread you were in, but this is a comparatively minor annoyance.)
posted by Westringia F. at 4:16 PM on April 22, 2015 [1 favorite]


"So, hey, update your password! "

YOU CAN'T TELL ME WHAT TO DO
posted by Evilspork at 4:23 PM on April 22, 2015 [1 favorite]


...which is some very unfortunate behavior.

True, we'll take a look at that. Changing your password in another browser should be the only scenario where that happens. Logging out and back in across devices after a password change will prevent it, but yeah that is annoying.
posted by pb (staff) at 4:25 PM on April 22, 2015


I edited the post to include a clickable link to the change password form - thanks for pointing that out, misterbrandt.
posted by LobsterMitten (staff) at 4:53 PM on April 22, 2015


cortex: "You're killing Inside Dad."

If you had better weather you could be Outside Dad, too.
posted by boo_radley at 5:10 PM on April 22, 2015


CAPSLOC is how Inside Dad feels about password security change.
posted by mightshould at 5:27 PM on April 22, 2015


Updated my password even though I feared I'd lose the tiny snowman indicating that I'm now on the new server. But I still have the snowman!
posted by cgc373 at 6:01 PM on April 22, 2015


Forgive me if this is an ignorant question (aren't they all?), but what exactly is the need for new additional security? Metafilter is not keeping any secrets of mine. Everything they have from me is published right here on the front page. I willingly and gladly updated my password, but I am just having a hard time understanding what the threat is.
posted by AugustWest at 6:24 PM on April 22, 2015


Forgive me if this is an ignorant question (aren't they all?), but what exactly is the need for new additional security?

There's no pressing need, beyond just trying to do as good a job with basic account security as we reasonably can. We don't have any specific expectation that the site will be targeted for any kind of attack, let alone successfully compromised by one, but that's no reason to assume it won't ever happen and won't ever need considering. (And there was that one time several years ago that some dumb exploit bot actually did knock the site over.)

There's some interesting discussion in this recent metatalk thread about worst-case scenarios, about current and past best practices and why stepping up password security would be worth doing, and based on that we talked it over and pb worked out a reasonable approach, so we decided to go for it.

Making the change from the SHA-256 approach we'd been using for the last several years to the bcrypt approach we're using now was a bit of work but a manageable one (everybody thank pb, he deserves all of it), and as a result in the unlikely case of a server compromise people's encrypted passwords will now be not merely a pain to crack but basically untenable. Best case, it's a non-issue. Worst case, it's pretty close to a non-issue still, which is great.

Everything they have from me is published right here on the front page. I willingly and gladly updated my password, but I am just having a hard time understanding what the threat is.

In this case, the threat we're addressing isn't that you'll have secrets revealed (you're right, there's very little in the server that's not essentially public, so it's not a KEEP MY BANKING DATA SAFE situation) but that, if you're not totally diligent about always using a different password in every site you log in to, a less-robust encryption would leave your encrypted password vulnerable to a dedicated cracking attempt and thus leave you vulnerable to subsequent account compromises on other sites by an attacker willing to make some email/username + password guesses.

Which is still unlikely to happen to any particular person as a targeted thing, but an automated attack that got access to the whole db, and then did an automated crunch of all the username/password/email combinations it got with passwords that were actually crackable with a bit of elbow-grease, could mean a lot of people vulnerable to that sort of systematic and impersonal dealing-in-volume attack.

It's unlikely and so relatively low risk, but reducing that risk to close to nil also didn't require too much in the way of resources on our end. And reducing tens of thousands of people's risk by a little bit with a non-Herculean amount of effort is a pretty good tradeoff.
posted by cortex (staff) at 6:55 PM on April 22, 2015 [7 favorites]


The Great Big Mulp: swordfish

Is this where I mention that at my last office job, the IT company that we hired had set our Windows passwords to swordfish?
posted by computech_apolloniajames at 7:30 PM on April 22, 2015 [1 favorite]


Mess with the best, die like the rest.
posted by Drinky Die at 8:11 PM on April 22, 2015 [2 favorites]


So if I changed my password last week for the test, do I need to change it again?
posted by Bruce H. at 8:16 PM on April 22, 2015


If you changed it last week you're all set.
posted by pb (staff) at 8:23 PM on April 22, 2015


Evilspork: ""So, hey, update your password! "

YOU CAN'T TELL ME WHAT TO DO
"

YOU'RE NOT MY REAL MOD!

storms off to his room in tears


Seriously though, password changed. That means my ex-wife can't log in as me! (Her name was my password. We were happily married when I first signed up.)
posted by Samizdata at 9:10 PM on April 22, 2015


My Mefi password is the last memento I have of a vanished, better time in my life, and to change it even for an instant would be like burning a piece of my soul.

Okay, I'm making it up, but y'know, it sounds good and it could have been true.
posted by George_Spiggott at 9:12 PM on April 22, 2015 [4 favorites]


I switched to using 1Password a few months ago but somehow missed switching my Metafilter one when doing everywhere else. So now, not only a new password but a much, much better one!
posted by sparkletone at 12:30 AM on April 23, 2015


You can't make me!!

(Can I change it to itself?)
posted by royalsong at 5:34 AM on April 23, 2015


Thank you cortex for the very clear explanation. Thank you pb for the time and effort!
posted by AugustWest at 6:32 AM on April 23, 2015


I reset my password via the forgotten password form (because it disappeared into the murky depths of Chrome's password manager), and couldn't log in until after I'd cleared my cookies.

Weirdly, the toolbar at the top of the site made it look like I was logged in (although I couldn't actually do anything)

I was able to reproduce this on two separate machines.
posted by schmod at 6:54 AM on April 23, 2015


cortex says I'm a pretty cool person! I finally have something to brag about.
posted by ogooglebar at 7:52 AM on April 23, 2015


Thanks for the report, schmod. That's expected behavior. The site will recognize you if you have an older set of cookies, but won't verify that you have up-to-date credentials to change data until you actually try to change data. At that point it will redirect you to a login if your credentials aren't current.

It was designed that way back in the day with the assumption that you'd be using one main browser to access MetaFilter. It also tries to minimize the number of times you'll see a login screen—redirecting you only when absolutely necessary. It might be time to revisit this system in the modern era when many people access MetaFilter across many devices.
posted by pb (staff) at 8:08 AM on April 23, 2015


The header link on the simple style is basically dark blue on dark grey and is unreadable. Might want to adjust the CSS a bit there.
posted by jessamyn (retired) at 9:05 AM on April 23, 2015


Thanks, it should look better now.
posted by pb (staff) at 9:13 AM on April 23, 2015 [1 favorite]


many people access MetaFilter across many devices.

Any chance of getting device-specific persistent prefs? It's a bit annoying to visit the prefs on an iPad to update some setting and upon exit find that you now have the font settings for your desktop.
posted by Johnny Wallflower at 2:27 PM on April 23, 2015


Any chance of getting device-specific persistent prefs?

Sorry, we don't have any plans for that. That is an annoyance, but it's also something that you can quickly identify and fix when it happens. In a perfect world we'd remove all annoyances from the site, but we have to choose where to spend our effort. We'll keep this in mind.
posted by pb (staff) at 2:36 PM on April 23, 2015


A MeFi where that's the biggest annoyance would be a magical fairyland! I hope I live long enough to see it.
posted by Johnny Wallflower at 2:40 PM on April 23, 2015


How hard would it be to upgrade people's passwords encryption when they login? Then you'd just have to logout and log back in to secure your account.
posted by jeffkramer at 4:25 PM on April 23, 2015


It wasn't possible the way our system was designed. The good news is that we fixed that this time around and it will be possible to have a more seamless upgrade in the future if necessary.
posted by pb (staff) at 4:34 PM on April 23, 2015


pb, thanks for all your hard work on this! Everything went smoothly for me.
posted by rangefinder 1.4 at 10:30 PM on April 23, 2015


My old password was "password". Very old account. Very trusting stupid svenni.
posted by svenni at 5:51 AM on April 24, 2015


I read that as "the bot-army librarians" and wondered what the hell cortex and jessamyn were up to.

Paging Alcatraz Smedry ... Alcatraz Smedry to the white courtesy phone, please.
posted by eritain at 9:54 AM on April 25, 2015 [1 favorite]


I should rephrase my report: I got stuck in a weird logged-in-but-not-really state, and entering my password (correctly) didn't actually seem to have any effect.
posted by schmod at 7:37 AM on April 26, 2015


Is everything working for you now schmod or are you still having trouble?
posted by pb (staff) at 8:34 AM on April 26, 2015


But when are you going to stop redirecting to non-https on the front page? It kinda defeats the purpose when anyone with a wifi sniffer can copy your session cookie...
posted by pwnguin at 9:24 AM on April 27, 2015


You can turn on secure browsing in your profile. That will make every request to MetaFilter https.
posted by pb (staff) at 10:01 AM on April 27, 2015


My old password was "password". Very old account. Very trusting stupid svenni.
posted by svenni at 13:51 on April 24 [+] [!]


HELP MY MOUSE IS MOVING BY IT SELF
posted by svenni at 13:58 on April 24 [+] [!]
posted by jaduncan at 11:28 AM on April 27, 2015


pb: are you going to switch to HTTPS by default?
posted by jaduncan at 11:37 AM on April 27, 2015


No plans to switch to https as the default, no.
posted by pb (staff) at 12:56 PM on April 27, 2015


I changed my password today prompted by the site header suggesting I do so. I logged out and back in with my new password and the site header still prompts me to help secure Metafilter by changing my password. Is this working as designed? Knowing nothing about such things, could not be possible not to show this header if a user has changed their password?
posted by vac2003 at 4:04 PM on April 28, 2015


Sorry about the confusion, vac2003. The top message isn't personal—it's a general message to the entire community. We've had many messages like these in the past and they're never a personal message to an individual user. You can hide the banner by clicking the x at the far right and you won't see it anymore.
posted by pb (staff) at 4:19 PM on April 28, 2015


pb Thanks for this. All good.
posted by vac2003 at 4:26 PM on April 28, 2015


Is there any way to permanently dismiss the message? The X only gets rid of it until you log out and back in, and my tablet browser doesn't retain login cookies between browser sessions so the banner shows up again every time I use the thing.
posted by Holy Zarquon's Singing Fish at 10:15 AM on April 29, 2015 [1 favorite]


No, sorry, dismissing the message is cookie-based. We'll remove the top banner soon.
posted by pb (staff) at 10:25 AM on April 29, 2015


And...the top banner is gone.
posted by pb (staff) at 10:32 AM on April 29, 2015


Logging in on a browser that I haven't used for a while, and noticed that with the fancy new theme, the Username box no longer automagically gets keyboard focus after page load. This is a minor annoyance for those of us who use KeePass. Is easy fix?
posted by flabdablet at 3:14 AM on April 30, 2015


Are you sure KeePass only works with forms that automatically send focus somewhere? We needed to remove that feature because automatically sending focus causes problems in other situations.
posted by pb (staff) at 6:36 AM on April 30, 2015


Works OK, just means I have to click in the box before telling it to do its thing. Lot of sites (including the old-themed MeFi, iirc) let me skip that step.

It's no biggie. Just thought if it was something that had been overlooked, it could get put back. If it's the way it is because reasons, I don't need it changed.
posted by flabdablet at 8:21 AM on April 30, 2015


You could always hit the Tab button when the page loads. That should put focus on the first field.
posted by pb (staff) at 8:26 AM on April 30, 2015


« Older Treat member's websites as external links?   |   Warning - do not buy this IOS Metafilter reading... Newer »

You are not logged in, either login or create an account to post comments