Password ruleset? August 10, 2011 5:35 PM   Subscribe

What exactly are the password limitations/parameters here?

After the recent xkcd post about passwords, I decided to get all modern and changed my password to something like "Unicorn pony Narwhal".

The password change form took it fine.
I typed it twice, and it seemed happy with it.

I logged out.

That was the end of my MetaFiltering for the rest of the day. (Until I caught a Mod on chat & got things all jake again.) Nothing I did would let me back in.

Are spaces legal in passwords/passphrases?
posted by pjern to MetaFilter-Related at 5:35 PM (121 comments total) 1 user marked this as a favorite

Well, we sure don't know.
posted by BeerFilter at 6:02 PM on August 10, 2011


The cabal knows.
posted by killdevil at 6:12 PM on August 10, 2011


Yes. Wait... No?

Yes.

Definitely, definitely, no.
posted by kbanas at 6:13 PM on August 10, 2011


Yes.
posted by kbanas at 6:13 PM on August 10, 2011


I use vulcans for these matters.
posted by clavdivs at 6:17 PM on August 10, 2011


This is one of those "ask pb" things, I have no idea.
posted by jessamyn (staff) at 6:19 PM on August 10, 2011 [2 favorites]


People ... people sign out?
posted by Foci for Analysis at 6:20 PM on August 10, 2011 [38 favorites]


People sign out, but they never leave.
posted by arcticseal at 6:22 PM on August 10, 2011 [2 favorites]


Yes, spaces are just fine. There's probably an upper-limit on the number of characters. I don't know it offhand, but we store passwords as hashes. So we never store your actual password in the database—it's a secret between you and MetaFilter.

I'm not sure why you had problems today, but it wasn't related to spaces in passwords.
posted by pb (staff) at 6:23 PM on August 10, 2011


One standard thing you can do if you ever have login problems again is clear your MetaFilter cookies and try your login again. Sometimes that helps if you get a cookie out of synch somewhere along the way.
posted by pb (staff) at 6:25 PM on August 10, 2011


This is really weird, since pjern's new bank and credit card passwords all still work.
posted by cjorgensen at 6:30 PM on August 10, 2011 [44 favorites]


oh, I should clarify that when I say upper limit I'm talking about some theoretical upper limit in the hundreds or thousands of characters. Because we hash the real value we never know the true length of the password.
posted by pb (staff) at 6:34 PM on August 10, 2011


what is the smallest amount of charcters needed for a password. is it 3 or 4?
posted by clavdivs at 6:43 PM on August 10, 2011


I sit here abashed. I have a password?
posted by SPrintF at 6:44 PM on August 10, 2011


I prehash my passwords for your hacking enjoyment.
posted by blue_beetle at 6:44 PM on August 10, 2011


I premince my words for your commenting enjoyment.
posted by arcticseal at 6:52 PM on August 10, 2011


Hey check it out if you type in your Mefi password it shows up as asterisks!

googlepony79
posted by infinitewindow at 7:09 PM on August 10, 2011 [9 favorites]


DAMMIT
posted by infinitewindow at 7:09 PM on August 10, 2011 [4 favorites]


Wait, lemme try *********
posted by vidur at 7:14 PM on August 10, 2011 [1 favorite]


Works for me.
posted by vidur at 7:14 PM on August 10, 2011 [4 favorites]


pb: oh, I should clarify that when I say upper limit I'm talking about some theoretical upper limit in the hundreds or thousands of characters.

Wait, really? My password could be thousands of characters long?

*Changes password to the Treaty of Westphalia*
posted by troll at 7:26 PM on August 10, 2011 [9 favorites]


what is the smallest amount of charcters needed for a password.

We require at least five characters when you change your password. Looks like we just require one character when you create a new account. We should change that.
posted by pb (staff) at 7:33 PM on August 10, 2011 [2 favorites]


And I just did. Five characters minimum all around now.
posted by pb (staff) at 7:37 PM on August 10, 2011 [2 favorites]


Window of opportunity: thoroughly blown!
posted by Skorgu at 7:41 PM on August 10, 2011 [1 favorite]


There are so many Your Mom jokes I do not make in any given day.
posted by cortex (staff) at 7:44 PM on August 10, 2011 [16 favorites]


Like, even if your mom had an infinitewindow of opportunity, you'd never be thoroughly blown?
posted by Cold Lurkey at 7:47 PM on August 10, 2011


lack of opportunity lacking
posted by clavdivs at 7:48 PM on August 10, 2011


Your mom something something thousands of characters?
posted by Sys Rq at 8:05 PM on August 10, 2011 [1 favorite]


This is really weird, since pjern's new bank and credit card passwords all still work.

ACCORDING TO YOUR MOM
posted by unSane at 8:09 PM on August 10, 2011 [2 favorites]


My new password is "cortex mom joke refrain".
posted by dersins at 8:24 PM on August 10, 2011


Hey check it out if you type in your Mefi password it shows up as asterisks!

You can go googlepony79 my googlepony79ing googlepony79.
posted by GeckoDundee at 8:29 PM on August 10, 2011


I just made the metafilter password checker.

Go ahead and CLICK HERE and type your password in the box and hit send.

It will check your password and tell you if you are wrong or if you are correct.

I do it all for the community.
posted by hal_c_on at 9:12 PM on August 10, 2011 [2 favorites]


I do it all for the community.

So does your mom.

Doesn't work, BTW.

(Neither does your mom.)
posted by maryr at 9:43 PM on August 10, 2011 [8 favorites]


MetaTalk: it's a secret between you and Metafilter
posted by Horselover Phattie at 10:44 PM on August 10, 2011 [1 favorite]


Your favorite password sucks.
posted by Ad hominem at 10:53 PM on August 10, 2011


always pass hash before passing words
posted by mannequito at 11:25 PM on August 10, 2011


You all know the old diner rule set right? Never order hash.
posted by Cranberry at 11:41 PM on August 10, 2011 [1 favorite]


Spaces do work; mine is now "apples peaches pumpkin pie".

you were young and so was i
posted by davejay at 12:06 AM on August 11, 2011


Huh. I wonder how many lurkers have attempted to log in as davejay.
posted by troll at 2:49 AM on August 11, 2011


"apples peaches pumpkin pie".

who's not ready, holler "aye!"

5 10 15 20 25 30 35 40...
posted by DU at 2:55 AM on August 11, 2011 [1 favorite]


MetaFilter: home is whenever I'm with you
posted by arcticseal at 6:34 AM on August 11, 2011


Now I wonder if I'm the only person with a 1-character password, still.
posted by shakespeherian at 6:56 AM on August 11, 2011 [1 favorite]


5 characters? Was it 8 at some point? I ask because my current password is an 8 character variation on a boilerplate 7 char password of mine from the time I signed up. I can't imagine I would have added that extra character unprompted.
posted by dirtdirt at 7:14 AM on August 11, 2011


Talking about salted hashes always makes me hungry.
posted by desjardins at 7:28 AM on August 11, 2011


mmmmm, hash ...
I wouldn't mind knowing the upper limit for chars in a password here. I know it varies - I've seen some sites put an upper limit in the twenties. Seems like this is in some kind of uncanny valley between the length of a typical insecure password and the length of a convenient but strong password as xkcd suggests.
posted by zomg at 7:33 AM on August 11, 2011


dirtdirt, not to my knowledge. The five character minimum was set for the change password form when I put that together, and the sign-up form was only set to five characters minimum last night.

I wouldn't mind knowing the upper limit for chars in a password here.

It's the upper-limit for whatever our cryptographic hash algorithm is. Theoretically you can take any number of characters and turn it into a cryptographic hash. Maybe a computer scientist could tell us if there's an upper limit on any of the widely used cryptographic hash algorithms. You'll probably bump up against some limitation of the amount of data you can send via HTTP before you bump up against the limitations of the hashing algorithm.

In other words, we don't have an upper-limit in the twenties. You should be able to use a password that is thousands of characters long with no problems.
posted by pb (staff) at 7:40 AM on August 11, 2011


I was told there would be hash
posted by The Whelk at 7:47 AM on August 11, 2011


You'll probably bump up against some limitation of the amount of data you can send via HTTP before you bump up against the limitations of the hashing algorithm.

Full text of the Treaty of Westphalia, now in password form!
posted by Saydur at 8:05 AM on August 11, 2011


pb: "You should be able to use a password that is thousands of characters long with no problems."
http://status.metafilter.com_

Metafilter is currently down while we reconstruct our database. 
Some joker tried to use the Treaty of Westphalia as a password. 
We're not gonna cast blame or name names, but if anyone has shakespeherian's email address, please contact the mods.
We'd like to have a little "chat" with him.
posted by zarq at 8:07 AM on August 11, 2011 [8 favorites]


Vaguely (ir)relevant.
posted by zarq at 8:07 AM on August 11, 2011


I'm guessing what you typed in and what you think your password was might have been different.
posted by Ironmouth at 8:17 AM on August 11, 2011


well... solaris though v9, I think, hashed passwords, but only cared about the first 8 or 9 characters. So sure, you could have a 20 character password, but if you only typed in the first 8 or so, it'd still let you log in ..
posted by k5.user at 8:23 AM on August 11, 2011


My email address is the same as my password. Also, it's in my profile.
posted by shakespeherian at 8:24 AM on August 11, 2011


...only cared about the first 8 or 9 characters....

ugh, yeah, we don't do that. We care about all characters equally.
posted by pb (staff) at 8:26 AM on August 11, 2011 [1 favorite]


I never cared about Ziggy Sobotka.
posted by box at 8:32 AM on August 11, 2011 [2 favorites]


I did, if only for my inexplicable crush on that actor.
posted by The Whelk at 8:36 AM on August 11, 2011


after that xkcd comic, i just use post-rock album names as passwords

Currently:

HeHasLeftUsAlonebutShaftsofLightSometimesGracetheCornerofOurRooms
posted by empath at 8:54 AM on August 11, 2011 [2 favorites]


"Unicorn pony Narwhal"

The problem was "pony" -- the system was expecting another horned animal. Try "rhinoceros" instead.
posted by pardonyou? at 9:09 AM on August 11, 2011 [3 favorites]


I believe most modern password hash algorithms are iterative.
posted by KirkJobSluder at 9:25 AM on August 11, 2011


Yep - It all seems to work.
posted by seanyboy at 9:34 AM on August 11, 2011


pb: It's the upper-limit for whatever our cryptographic hash algorithm is. Theoretically you can take any number of characters and turn it into a cryptographic hash. Maybe a computer scientist could tell us if there's an upper limit on any of the widely used cryptographic hash algorithms. You'll probably bump up against some limitation of the amount of data you can send via HTTP before you bump up against the limitations of the hashing algorithm.

As KirkJobSluder, all modern password hashing systems are iterative in the sense that the input is merely providing entropy to the hashing machine. As long as you keep feeding it input, you keep adding entropy. When you're done feeding input, you look at the state of the machine and take the output from there.

So yeah, HTTP POST server accept limit or your web app's crypto buffer size is the real limit.

Time to shut down my latest start-up: apparently there's no money in password storage on mobius strips.
posted by introp at 9:39 AM on August 11, 2011


My email address is the same as my password. Also, it's in my profile.

Awesome. Now I solved that "wait for a week before your anon question is posted" problem.

Scatophilia questions for EVERYONE!
posted by hal_c_on at 10:29 AM on August 11, 2011 [1 favorite]


HeHasLeftUsAlonebutShaftsofLightSometimesGracetheCornerofOurRooms

You know what's a fun game? "Name Silver Mt. Zion's latest iteration":

Ye Olde Silver Mt. Zion Ice Cream Shoppe
posted by griphus at 10:39 AM on August 11, 2011 [1 favorite]


Gen. Lee's Silver Mt. Zion Discount Pharmaceuticals & Barbershoppe Quartet
posted by shakespeherian at 10:46 AM on August 11, 2011 [1 favorite]


hal_c_on: "Scatophilia questions for EVERYONE!"

The answer is Ella Fitzgerald. It's always Ella.
posted by zarq at 10:48 AM on August 11, 2011


Omigod guys I just tried to login on a different machine and I got the captcha. Which of you stupid fuckers was actually trying to login with my email?
posted by shakespeherian at 11:10 AM on August 11, 2011 [8 favorites]


I just wanted to make sure you weren't talking about me behind my back.
posted by The Whelk at 11:22 AM on August 11, 2011


Oh I am. I ammmmmmm.
posted by shakespeherian at 11:24 AM on August 11, 2011


I wonder how many people gave up because they couldn't spell shakesphe, shaeksp, shakesperia, shakaspear .... uh... "gmail".
posted by zarq at 11:28 AM on August 11, 2011 [1 favorite]


Now I sort of want to know what people would do with my account. Read all the back MeMails with Rory Marinich? Post inane gibberish even more inane and gibberishy than my usual?
posted by shakespeherian at 11:33 AM on August 11, 2011 [2 favorites]


On an unrelated note I have spent appox. Six days watching teens at camp get killed movies and I have a question: was the immense cloud of homoeroticism floating through this genre like a fog bank intention or just a happy accident?
posted by The Whelk at 11:33 AM on August 11, 2011 [1 favorite]


Friday the 13th, Part XXVII: Jason Comes Out, The Musical

Starring Harvey Fierstein as the Fabulous Jason Vorhees

Spoiler Alert: The plucky young male cheerleader (played by Justin Bieber) foils Jason's plan for Broadway Domination when he cracks the password on Jason's iPad.
posted by zarq at 11:42 AM on August 11, 2011 [1 favorite]


On an unrelated note I have spent appox. Six days watching teens at camp get killed movies and I have a question: was the immense cloud of homoeroticism floating through this genre like a fog bank intention or just a happy accident?

They don't call it "camp" for nothing.
posted by Sys Rq at 11:56 AM on August 11, 2011


Spoiler Alert: The plucky young male cheerleader (played by Justin Bieber) foils Jason's plan for Broadway Domination when he cracks the password on Jason's iPad.

It was 'methuselah,' just like mine.
posted by shakespeherian at 11:57 AM on August 11, 2011


after that xkcd comic, i just use post-rock album names as passwords

Sufjan Stevens song titles would work well too. I like the idea of 'Oh God, Where Are You Now? (In Pickeral Lake? Pigeon? Marquette? Mackinaw?)'
posted by maryr at 12:24 PM on August 11, 2011


It's all the damn short shorts.
posted by The Whelk at 12:26 PM on August 11, 2011


On the other hand, I think I read a comment from Gibson that there's not much point in having a passphrase with more entropy than what you'd get from the hash function. That would be still be a ridiculously long passphrase in most cases.
posted by KirkJobSluder at 12:32 PM on August 11, 2011


Post inane gibberish even more inane and gibberishy than my usual?

I can't find it now, but there was a MetaTalk thread a few years ago about a long-standing member who accidentally stayed logged in at a library. Someone else posted a bunch of comments to threads that just consisted of profanity. Anyone remember this?
posted by roll truck roll at 12:40 PM on August 11, 2011


That sounds vaguely familiar but I have no idea who it was.
posted by shakespeherian at 12:42 PM on August 11, 2011


There was also someone who logged in at a meetup and another member posted as them. Who was that ?
posted by Ad hominem at 12:53 PM on August 11, 2011


Otherwise known as ...the perfect crime.
posted by The Whelk at 12:58 PM on August 11, 2011


There was also someone who logged in at a meetup and another member posted as them. Who was that ?


loquacious.
posted by babbyʼ); Drop table users; -- at 1:25 PM on August 11, 2011


I don't know anything about hashes, but I do know that one of our programs at work has encrypted (don't know the method) passwords, but one of the admins wrote a program to decrypt them. Which I think is absolutely hilarious for a number of different reasons. Anyway, is that possible with hashes?
posted by nooneyouknow at 1:36 PM on August 11, 2011


No. Hashes are a one-way function.
posted by yerfatma at 1:42 PM on August 11, 2011


decrypting passwords in a database is trivial if you know the key used to encrypt (and are an admin with the proper access). If they are hashed and salted though, all this will give you is the hash.

ok now I'm hungry too.
posted by utsutsu at 2:10 PM on August 11, 2011


I don't know anything about hashes, but I do know that one of our programs at work has encrypted (don't know the method) passwords, but one of the admins wrote a program to decrypt them. Which I think is absolutely hilarious for a number of different reasons. Anyway, is that possible with hashes?

That's not a hash, then. It's more of a rubric. We have an app at work that does this. It's hilariously insecure.
posted by odinsdream at 2:10 PM on August 11, 2011


clear your MetaFilter cookies

brb
posted by infini at 2:16 PM on August 11, 2011


Hash and cookies, am I working for that organic catering company again?
posted by The Whelk at 2:19 PM on August 11, 2011 [2 favorites]


See, I was thinking of something totally different there.
posted by zarq at 2:24 PM on August 11, 2011


On the way up to the cabin I noticed, next to the engery drinks, was a " super slow down bronwie" labeled " a chemical come down!" with a green-colored brownie guy with shades saying " duuuude" and I doubke checked the ingrident list and nope, it was a fucking brownie, but it was completely covered in this groovy wink wink nodge nodge that I can only admire the person who decided to sell fake spacefood to teenagers.
posted by The Whelk at 3:02 PM on August 11, 2011 [1 favorite]


Oh, I've seen those - they have, like melatonin and valerian in them. Which are... not exactly what the marketing is implying.
posted by restless_nomad (staff) at 3:11 PM on August 11, 2011


"On an unrelated note I have spent appox. Six days watching teens at camp get killed movies and I have a question: was the immense cloud of homoeroticism floating through this genre like a fog bank intention or just a happy accident?"

I know with the NoES it was intentionally there.

Oh, and man, you wanna talk immense cloud of homoeroticism in an ostensibly straight horror movie? I rented Leeches! with my girlfriend and about five minutes in realized that it was just an inversion of the general titty-fest that she has to sit through with regular slasher flics. So many dudes showering together while having totally perfunctory dialogue about the one "girlfriend" who might as well have been named Ima Beard, scads of lingering shots on shaved dudes in speedos, and a long Silk-Stockings tracking shot of a cheap CGI leech slowly, sensually, crawling up this guy's leg while he slept on high thread-count sheets.

The whole movie she was saying, "Now you see what it's like!"
posted by klangklangston at 3:12 PM on August 11, 2011 [5 favorites]


MetaFilter: We care about all characters equally.
posted by Splunge at 3:26 PM on August 11, 2011 [1 favorite]


Well if we don't care about them then it's meaningless when they get hacked to death in the woods.

Oh god, leeches. That's so David DeCoteau. You know when that here! Network started to do explicitly gay soft core horror trash I was all " well it can't be worse than DeCoteau" but I was tragically wrong.
posted by The Whelk at 3:30 PM on August 11, 2011


"Please state the nature of the fashion emergency'
posted by clavdivs at 4:25 PM on August 11, 2011


WHITE BELTS.
posted by The Whelk at 4:27 PM on August 11, 2011 [1 favorite]


I skimmed most of this thread to ask an important question:

Why shouldn't I just have a unique, easy to remember, but also easy-to-unhash-or-bruteforce password for Metafilter? What exactly am I protecting?

I mean, yes, I use random strings of characters of the longest length possible for all my bank pw and important Internet Identity sites like linkedin, google, and facebook. But why Mefi or (more ridiculously, IMO) sites like the gawker network where I basically don't care if someone else is posting as BieberFever24.
posted by muddgirl at 4:31 PM on August 11, 2011


You can catch Bieber Fever if you drink water near Bieber nests and don't boil it first.
posted by The Whelk at 4:33 PM on August 11, 2011 [1 favorite]


and then next thing you know you have a fever of a hundred and bieb
posted by elizardbits at 4:43 PM on August 11, 2011


muddgirl, I had two passwords. My "secure" password that I used for anything financial, and my "throw away" password. I used the second for blogs, and anything that required a password but no money was involved (like gmail or youtube).

The gawker thing compromised my iTunes account, which meant that not only did they clear out the $3, but they left a great review for the super crappy app I bought. It took me an hour to get back control of my acount.

I could further elaborate, but that would involve me putting out details I shouldn't. Regardless, if the compromised password is only used on one site, no big deal, but I'd be mad if I lost my metafilter account.
posted by cjorgensen at 4:53 PM on August 11, 2011


Hunter2
posted by Duke999R at 5:40 PM on August 11, 2011


Oh shit...
posted by Duke999R at 5:40 PM on August 11, 2011


Here I was hoping the thread would evolve into a game of Password.
posted by The Whelk at 5:44 PM on August 11, 2011


Time to link (again) to The Password Generator ("works using Javascript, entirely within the page, no data is ever passed back to my server. Notwithstanding this, it is a very good idea to save your own copy of this page. Keeping your own copy ensures that the password generator will still be available to you even if this website goes off-line. You can also View-Source and see exactly how the javascript works, copy it to a USB stick, email it to yourself, even upload it to your own website (it's open source.) There are no dependent files, just save as a single HTML file.") thanks to Mefi's Own.
posted by vidur at 5:46 PM on August 11, 2011 [1 favorite]


but I'd be mad if I lost my metafilter account.

But for metafilter, couldn't I just email the mods and get it back? If I cared? I guess "preventing work for the mods" is a valid reason. I mean, it's sort of a moot point since I rarely log out, but if I'm on the road I like to be able to access Metafilter with a memorable password (and I don't consider four random words to be memorable).
posted by muddgirl at 7:01 PM on August 11, 2011


thanks to Mefi's Own.

I'm simultaneously disappointed that it isn't actually thanks to a user with the username Mefi's Own relieved that that name is apparently still available.
posted by kenko at 7:01 PM on August 11, 2011


One of my all-time favourite things is telling new consultants that I have set up their new email addresses and that their throwaway password is the default setting of Password123, because when on the phone, the best way to describe this is "big pee, little assword, numerals one two three". Everyone always makes me repeat ASSWORD slowly and at increasing volumes at least three times out of sheer befuddlement.
posted by elizardbits at 7:55 PM on August 11, 2011 [3 favorites]


Metafilter: ASSWORD.

I was thinking oh one day someone will come up with the best male- objectifying queer slasher horror thing but then I remembered True Blood and the remake of Fright Night exists
posted by The Whelk at 8:00 PM on August 11, 2011


Chris Sarandon was pretty damn sexy in the original, walking down those stairs eating that apple.
posted by misha at 8:20 PM on August 11, 2011


Yeah but David Tennant is basically playing a porn parody version of himself.
posted by The Whelk at 8:25 PM on August 11, 2011


must it always devolve back to pulchritude?
posted by infini at 9:04 PM on August 11, 2011


In the preview clip he peels off his David Blaine-esqie spoooooky makeup to reveal a reveal a nice normal English boy who is thrusting himself and being being totally sexually confusing to the kid they got interviewing him with an actual backpack and shit.

I saw that clip and went, well okay, if they're going to be this blunt with the sexual assault, I'm on board.
posted by The Whelk at 9:19 PM on August 11, 2011


"I'm a seamstress not a judo student. This is a mild analgeisic, take this lapis sash. See me in 24 hours for a new hat, the "stevedore" look does not become you and please have Mr. Neelix do something with the wainscoting... What are you doing to my gilt and platnum mobile emit...."
posted by clavdivs at 10:42 PM on August 11, 2011 [1 favorite]


pb - I'm pretty sure there's no limit to the amount of data you can stick in a hash function, as people use hash functions as checksums for arbitrary-length files.
posted by iotic at 8:33 AM on August 12, 2011


Thanks for the hash info everyone. Sounds like for all practical purposes there's no upper-limit on the length of your password here. And there's a five character minimum.
posted by pb (staff) at 8:49 AM on August 12, 2011


Sorry folks, you're all wrong. Metafilter's maximum password length is 25 characters.
posted by ryanrs at 12:09 AM on August 14, 2011


ARE YOU CALLING ME A LIAR?
posted by troll at 12:12 AM on August 14, 2011


God damn it, troll. I was going to explain myself with a witty paraphrase of Fermat's Last Theorem. But now you've ruined it.
posted by ryanrs at 12:21 AM on August 14, 2011


<td><input type="Password" name="user_pass" size="25" tabindex="2" /></td>

hth.
posted by ryanrs at 12:37 AM on August 14, 2011


I too am glad we had this heart-to-heart.

(Anger - [25 x {Passwords + HTML}]) ÷ Math = ♥

Let's be more-than-friends?
posted by troll at 1:00 AM on August 14, 2011


ryanrs, input size is just the display size of the field. It doesn't have any effect on the length of what the user types. You can set a maxlength attribute that does limit the number of characters a user can type, but we don't do that.
posted by pb (staff) at 8:20 AM on August 14, 2011


« Older If you really want the help of parents, maybe...   |   WeEndure? Newer »

You are not logged in, either login or create an account to post comments