Password Security Update April 17, 2015 9:19 AM   Subscribe

We're changing the way we store passwords at MetaFilter. You can help us test the new system by changing your password today.

A few months ago we had a discussion about MetaFilter security and several members pointed out that our method of storing passwords wasn't ideal. So we're moving to a new password encryption method. Starting today, all new accounts will use new password encryption. We can't move old passwords over to the new, more-secure system automatically. So if you'd like to switch your account over, you can do that by changing your password.

You need to know your current password to change your password. If you don't know it, you can request a change password link via email. Just make sure your email address is up to date in your site preferences so you get the link delivered to a current, working address. And here's our FAQ on changing your password.

As always, once you change your password you'll need to re-login on any device you use. We know that's a hassle, but we also want to make sure that your MetaFilter login remains a secret between you and MetaFilter.

Please post here if you have any trouble. If you happen to have trouble logging in after your password change you can also use the Contact Form to report problems.
posted by pb (staff) to Feature Requests at 9:19 AM (97 comments total) 13 users marked this as a favorite

I did it. It works!
posted by jessamyn (retired) at 9:35 AM on April 17, 2015 [1 favorite]


Same here. No issues on various devices.
posted by figurant at 9:41 AM on April 17, 2015


Working on both my PC and Android versions of Chrome.
posted by zombieflanders at 9:50 AM on April 17, 2015


we also want to make sure that your MetaFilter login remains a secret between you and MetaFilter.

I'll add to the pile of other secrets you already know about me.
posted by desjardins at 10:06 AM on April 17, 2015 [7 favorites]


A few months ago we had a discussion about MetaFilter security and several members pointed out that our method of storing passwords wasn't ideal. So we're moving to a new password encryption method.

This is classic MetaFilter and I love you guys for it.
posted by kate blank at 10:46 AM on April 17, 2015 [25 favorites]


Changed, logged out and in. Seems to work fine.
posted by Drinky Die at 10:57 AM on April 17, 2015


No issues here.
posted by Johnny Wallflower at 11:04 AM on April 17, 2015


Is this where we post our new passwords?
posted by DingoMutt at 11:11 AM on April 17, 2015 [4 favorites]


Oh right, I forgot: *********
posted by Johnny Wallflower at 11:12 AM on April 17, 2015 [6 favorites]


Yiss! So, they're going through bcrypt now?
posted by ignignokt at 11:20 AM on April 17, 2015


Yep, bcrypt.
posted by pb (staff) at 11:21 AM on April 17, 2015 [4 favorites]


Nice! OK, it worked for me. Changed password, logged out, logged back in.
posted by ignignokt at 11:22 AM on April 17, 2015


Personally, I thought that we should make passwords have to navigate through an actual crypt and retrieve a magical amulet, but pb felt like that might put too much friction in the login process.
posted by cortex (staff) at 11:23 AM on April 17, 2015 [32 favorites]


If failure resulted in the permadeath of your username, it'd make users treasure every moment and comment!
posted by ignignokt at 11:28 AM on April 17, 2015 [3 favorites]


"My voice is my passport. Verify me."
posted by blue_beetle at 11:35 AM on April 17, 2015 [15 favorites]


...pb felt like that might put too much friction in the login process.

You are standing in an open field west of a white house, with a boarded front door.
There is a small login form here.

>enter password
Entering the wrong password reveals a grue, who summarily eats you.

**** You have died ****

posted by Celsius1414 at 11:38 AM on April 17, 2015 [16 favorites]


Rock on, pb. I have a soft spot in my heart for developers who take security seriously. :)
posted by introp at 11:44 AM on April 17, 2015


cortex: "Personally, I thought that we should make passwords have to navigate through an actual crypt and retrieve a magical amulet, but pb felt like that might put too much friction in the login process."

Especially when my username dies and the other users loot my favorites.
posted by double block and bleed at 11:46 AM on April 17, 2015 [7 favorites]


I replaced my old and busted circa-2009 password with a bright and shiny one randomly generated by LastPass, and the whole process was about as painless a password change as I've ever done. Thanks pb!
posted by Strange Interlude at 11:52 AM on April 17, 2015 [1 favorite]


I... I... had to log out to test that the password change worked. That was... that was scary.

Seriously, thanks, pb, for doing this!
posted by metaquarry at 11:54 AM on April 17, 2015 [2 favorites]


password123... check. Check. Testing, testing. password123... Testing...

Yep. Works fine.
posted by It's Raining Florence Henderson at 11:57 AM on April 17, 2015 [1 favorite]


It seems like you could update at next login, no change required. It was mentioned in the previous thread.
posted by Pronoiac at 12:07 PM on April 17, 2015


Just for interest, why did you choose to go the upgrade-on-password-change route, rather than the silently-upgrade-on-login route?
posted by flabdablet at 12:10 PM on April 17, 2015


We looked at other ways to update things and asking users to voluntarily update causes the least disruption. I don't want to get into laying out in detail how our authentication works, but we felt like this was the best route without forcing logouts across various devices.
posted by pb (staff) at 12:11 PM on April 17, 2015 [2 favorites]


Done. No problem here.
posted by flabdablet at 12:19 PM on April 17, 2015


No problem here either.
posted by flabdablet's sock puppet at 12:20 PM on April 17, 2015 [4 favorites]


That guy has the same password as me, so you might want to verify that we get different bcrypt hashes to make sure the salting works as intended.
posted by flabdablet at 12:21 PM on April 17, 2015


What happens if I do nothing? Will I eventually be asked to change my password on logging in or?
posted by Lorin at 12:22 PM on April 17, 2015


nice try, but you'll not get the combination to my luggage that easily ..
posted by k5.user at 12:23 PM on April 17, 2015


What happens if I do nothing?

Right now, nothing happens if you do nothing. At some point down the road we might ask folks who haven't updated yet to do so, but there's no requirement to change now.

...you might want to verify that we get different bcrypt hashes...

The system works!
posted by pb (staff) at 12:25 PM on April 17, 2015 [4 favorites]


At some point down the road we might ask folks who haven't updated yet to do so

Maybe you could run John the Ripper against your own database for a couple months, and prioritize people whose passwords it cracks?

Folks like me who use long, randomly generated, site-unique passwords are pretty much immune from password compromise as long as the site database uses any cryptographically strong one-way hash for password storage, whether CPU-intensive or not, and there's no real reason to pester those.
posted by flabdablet at 12:35 PM on April 17, 2015 [1 favorite]


So when I logged out I got the modern theme, which comes as a bit of a WTF when you're used to classic. My procedure was

- changed password
- logged out
- logged in with new password
- changed password back to previous password
- logged out again
- logged in with original password.

I assume I'm back to the password that my fingers know how to type, but it's now stored in the more secure bcrypt style?
posted by benito.strauss at 12:48 PM on April 17, 2015 [1 favorite]


Oddly, my front page contact activity went from hidden to shown after all that. This was on the same device, the only one I use. No biggie, just interesting to note.
posted by benito.strauss at 12:51 PM on April 17, 2015


...but it's now stored in the more secure bcrypt style?

Yep, that's right. When you log out of the site it clears all of your site-related cookies which include your display preferences. The default theme that non-members see is the modern theme so that's what you see when those cookies have been cleared. Same with the sidebar preferences. That cookie was cleared on logout, click the x again and it will be set until you log out or clear your cookies again.
posted by pb (staff) at 12:54 PM on April 17, 2015 [1 favorite]


I feel like I just voted.
posted by slogger at 12:59 PM on April 17, 2015 [4 favorites]


you can go hunter2 my hunter2-ing hunter2
posted by maqsarian at 1:00 PM on April 17, 2015 [5 favorites]


- changed password back to previous password

Thanks pb, and thanks benito.strauss for covering my followup question. I broke down and changed my password but it's nice to know the old one isn't blacklisted or anything. Painless.
posted by Lorin at 1:07 PM on April 17, 2015 [1 favorite]


I wanted to move to the new system but I didn't want to actually change my password. So I changed it twice, once to a temp and again to my preferred password.

And then logged out and in. And it worked fine.
posted by Chocolate Pickle at 1:18 PM on April 17, 2015


You work at a place with an aggressive password changing policy, you develop skillz. "You're going to remember my last six passwords and prevent me from re-using them? You do know that there's a number bigger than six, don't you?"
posted by benito.strauss at 1:20 PM on April 17, 2015 [11 favorites]


Nice. Done. Thank you for not creating idiotic structural restrictions for us to follow when we have to create our passwords.
posted by zarq at 1:23 PM on April 17, 2015 [2 favorites]


As a dedicated nethack player in my youth, who nonetheless never ascended, I'm really really glad this was your choice.
posted by nat at 1:28 PM on April 17, 2015


Old system: XOR
New System: STRREV then XOR
Conclusion: Uncrackable!
posted by blue_beetle at 1:31 PM on April 17, 2015


Well that was unexpected. I logged out, got the new weirdo theme.. but then when I logged back in, it went back to classic professional white background.

I may have metafilter open in >10 tabs on several different desktops.. could that be the odd? Do I have to find and close all those tabs?
posted by nat at 1:32 PM on April 17, 2015


Do I have to find and close all those tabs?

You'll need to re-login on any device/browser combo where you use MetaFilter. If you have already-open tabs, you'll be redirected to a login form when you try to add a comment. So you could close those open tabs across devices just to save that hassle.
posted by pb (staff) at 1:40 PM on April 17, 2015


benito.strauss and pb just relieved Granny's mind and muscle memory...

*puts it on post it to do list because it would be too traumatic right now to even contemplate*

*ten years*

*bada bing*

no that's not my password
posted by infini at 1:55 PM on April 17, 2015


LOG OUT???
posted by infini at 1:57 PM on April 17, 2015 [4 favorites]


I changed my password. I logged out. I logged in with new password. So far, all is well.

I go to log into mefi chat. Neither password works.

Houston, we have a problem.
posted by Michele in California at 2:08 PM on April 17, 2015


Yep, I'm seeing the same thing. I'll take a look.
posted by pb (staff) at 2:09 PM on April 17, 2015 [1 favorite]


Nice! OK, it worked for me. Changed password, logged out, logged back in.

Just FYI, I changed my password while logged into the desktop version of Chrome (Version 42.0.2311.90 m) on the PC and did NOT logout and log back in, nor was I prompted to do so.

I was prompted on various iDevices though.
posted by Brandon Blatcher at 2:09 PM on April 17, 2015 [1 favorite]


Yeah, there's no reason to log out if you're just using the password change form and you won't be prompted to.
posted by pb (staff) at 2:10 PM on April 17, 2015 [1 favorite]


What, we have to change passwords every 12 years now? Ugh.
posted by small_ruminant at 2:23 PM on April 17, 2015 [31 favorites]


Added a note to the post about the issue with Chat not accepting new-style passwords; pb's checking out the details, and it looks like something we can resolve with a little bit of elbow grease next week, but for now just be aware that it's an issue if you're a Chat-inclined type.
posted by cortex (staff) at 2:30 PM on April 17, 2015 [1 favorite]


Houston, we have a problem.

Yep, that is a big problem. The chat server software we use does not support the new type of password encryption we're using. It's something I might be able to add but that will take time and testing. This was an oversight, and I apologize for missing it in testing. I'll try to get Chat working with the new passwords as soon as I can.
posted by pb (staff) at 2:31 PM on April 17, 2015 [2 favorites]


Done. Thanks for not breaking LastPass!
posted by BrashTech at 3:07 PM on April 17, 2015


Are you sure it was a good idea to do this now so soon after the John Oliver/Edward Snowden interview? Because now half of all MeFites will change their passwords to “margaretthatcheris110%SEXY”... I know I will.
posted by oneswellfoop at 3:33 PM on April 17, 2015


I'm not falling for THAT old trick.
posted by cooker girl at 4:06 PM on April 17, 2015


All done, all good. OOOH baby there's so much entropy going on right now, I just feel like nothing at all.
posted by Divine_Wino at 4:29 PM on April 17, 2015


I just changed my password on my profile page without logging out or in. Does that work? Hello? Hello?
posted by Cranberry at 6:49 PM on April 17, 2015 [1 favorite]


Did it. Logged out, logged in, posted, laughed, cried, A+++ would DP(;alskdf87^ again!
posted by Joseph Gurl at 8:22 PM on April 17, 2015


You can log out any time you like, but you can never leave.
posted by theora55 at 8:31 PM on April 17, 2015 [5 favorites]


now half of all MeFites will change their passwords to “margaretthatcheris110%SEXY”... I know I will.

I will judge you on that choice. yay bcrypt
posted by holgate at 8:43 PM on April 17, 2015


pb: "You'll need to re-login on any device/browser combo where you use MetaFilter. If you have already-open tabs, you'll be redirected to a login form when you try to add a comment."

So will I be reprompted once for each of the 30 or so tabs I have open on each device or will I be reprompted for each tab? IE: will I have to login once per device or once per tab?
posted by Mitheral at 8:51 PM on April 17, 2015


Yet another example of pb's awesomeness. Thank you sir!
pw changed & all worked fine afterwards here, in no small part thanks to my security blanket, Lastpass. I don't even try to remember pwords anymore, so they're all crazyass long & complex & I never fret over changing or recalling any, save for the LP one.
posted by peacay at 10:23 PM on April 17, 2015


I'd be afraid to go in to Mefi chat. Now I am doubly safe. My master doesn't realize I borrow the phone to post, meow.
posted by Oyéah at 10:32 PM on April 17, 2015 [2 favorites]


Yay, old, not-at-all-secure password replaced with ridonkulous autogenerated nonsense. Boy, I sure hope LastPass is a secure basket...
posted by Wrinkled Stumpskin at 2:08 AM on April 18, 2015


I'd be afraid to go in to Mefi chat. Now I am doubly safe. My master doesn't realize I borrow the phone to post, meow.
posted by Oyéah at 10:32 PM on April 17 [−] [!]


You should totally go into chat just as soon as you can. Many people there are cat fans. If you then posted cute selfies wherein you are doing something hilariously annoying to your "master" (aka you personal slave who pays the bills and supplies you food), they would love you and you would be an instant celebrity.
posted by Michele in California at 11:11 AM on April 18, 2015


Cats don't have masters, they have staff.
posted by flabdablet at 11:23 AM on April 18, 2015 [3 favorites]


benito.strauss: "You work at a place with an aggressive password changing policy, you develop skillz. "You're going to remember my last six passwords and prevent me from re-using them? You do know that there's a number bigger than six, don't you?""
This stuff amuses me - I work with a couple of systems that have a 'change your password every month and can't use one you've used in the last year' policy. Everyone I know just uses the same password every month with the numeral for the month added to the end. This means it's less secure than actually requiring people to use strong passwords or actually securing the passwords properly in the first place. But they get to inconvenience people on a regular basis, so I guess it has that going for it.
posted by dg at 2:30 PM on April 18, 2015


Hmm, last night I dreamed I was changing the passcode on my iPhone but my hand slipped at the last minute and I had no idea what numbers I'd pressed. I woke up thinking OH DEAR GOD WHAT IS MY NEW PASSCODE AAAAAGGGGHHH

But I just changed my MeFi password and it worked fine. Phew!
posted by hurdy gurdy girl at 11:59 PM on April 18, 2015


I changed my password, logged out, logged in with new password, all is well.

But when I try to change my e-mail in my preferences, my password is not recognized. I've tried it several times.
posted by bryon at 1:02 AM on April 19, 2015


I've just tested the same thing as bryon, and I see the same result. Tried the old password as well just in case, but it didn't work either.
posted by flabdablet at 10:50 AM on April 19, 2015


Thanks for the report. The change email form should be working now.

will I have to login once per device or once per tab?

Once per device should do it.
posted by pb (staff) at 11:31 AM on April 19, 2015


.
posted by carmicha at 4:35 PM on April 19, 2015


RAMSES II
posted by shakespeherian at 6:31 PM on April 19, 2015 [1 favorite]


Yep, the e-mail change is good now. Thank you.
posted by bryon at 9:50 PM on April 19, 2015


small_ruminant: "What, we have to change passwords every 12 years now? Ugh."

Man, Matt leaves and the place immediately turns fascist.
posted by Chrysostom at 6:55 AM on April 20, 2015 [2 favorites]


Also, no more making popcorn in the breakroom microwave.
posted by cortex (staff) at 7:05 AM on April 20, 2015 [4 favorites]


*butters and salts cortex*
posted by infini at 7:25 AM on April 20, 2015 [2 favorites]


Are you implying he's a little corny?
posted by taz (staff) at 7:28 AM on April 20, 2015 [1 favorite]


Insinuating.
posted by infini at 7:41 AM on April 20, 2015 [2 favorites]


I get annoyed when someone reheats fish in the microwave, stinking up the whole office.

So inconsiderate.
posted by double block and bleed at 5:39 PM on April 20, 2015


Are you going to post this to the sidebar, or wait until the chat thing is solved?

(I still have my original circa 2001 password and am not changing it la la la la I can't hear you.....)
posted by anastasiav at 6:59 PM on April 20, 2015


Yeah, the idea was to kind of float it for MetaTalk regulars to try out, and then pb could iron out any bugs before we sidebar it (or maybe even banner it) for the wider site membership. Not sure what the timeline is on pb feeling like the bugs are suitably ironed, but I imagine the chat thing is part of getting there.
posted by LobsterMitten (staff) at 7:02 PM on April 20, 2015


Help! The web is broken my old symbian nokia. I can do everything except try and log in - gives me a web error message. Can't log into gmail either - some change in the web doesn't take this old OS into account anymore?
posted by infini at 2:09 AM on April 21, 2015


don't want to buy a new phone just for metafilter.... though it might come to that
posted by infini at 2:10 AM on April 21, 2015


"web unable to perform function" ONLY when I try to log in
posted by infini at 2:18 AM on April 21, 2015


Sorry infini, this sounds like a phone issue rather than something we can fix from our end. A good first step is searching around to see if other people are having this problem with your phone model. There might be fixes or work-arounds out there.
posted by pb (staff) at 7:22 AM on April 21, 2015


Thanks for noticing the outlier, pb, May your maize crop be fruitful this year and may your goats have twins.

I did some homework. The shelf life of the OS is over and the device is on life support. Whatever the problems are its due to being obsolete - trying to log in to Gmail is giving me the same error so I think its got something to do with "security" at the "log in" stage of the procedure. I SHOULD NEVER HAVE LOGGED OUT THAT DAY I KNEW IT WOOOOOOOOOOOOE

Since I'm not keen on Android OR iOS, I'll be moving back to a Nokia that lets me use Opera until I figure out what my device options are.

If anyone has heard of Sailfish and Jolla, would appreciate your thoughts....
posted by infini at 9:36 AM on April 21, 2015 [1 favorite]


Oh! infini, are you getting "certificate error?" Your phone might have outdated SSL certificates. (I don't know offhand how to fix this or if they're updatable.)
posted by Pronoiac at 1:10 PM on April 21, 2015 [1 favorite]


You work at a place with an aggressive password changing policy, you develop skillz. "You're going to remember my last six passwords and prevent me from re-using them? You do know that there's a number bigger than six, don't you?"

This is what "minimum password age" is for -- "you cannot change your password yet. Please try again in X days..."
posted by aydeejones at 10:22 PM on April 21, 2015


This stuff amuses me - I work with a couple of systems that have a 'change your password every month and can't use one you've used in the last year' policy. Everyone I know just uses the same password every month with the numeral for the month added to the end. This means it's less secure than actually requiring people to use strong passwords or actually securing the passwords properly in the first place. But they get to inconvenience people on a regular basis, so I guess it has that going for it.

You make it sound like strong passwords and frequent changes are mutually exclusive. LastPass etc are changing the game and it's looking more and more like the "strong password you never change" adage is turning into a sucker's game. There are a lot of reasons to change a password every "X" days and to me the time it takes to crack a password isn't a factor at all. It's not that it takes 30-90 days to crack a password using whatever means. It's that changing it routinely mitigates the damage caused by more elaborate or professional attacks that don't make themselves obvious, doing hidden damage for untold amounts of time because someone thought their strong password simply stood in isolation in defiance of all myriad ways to compromise and intercept it.
posted by aydeejones at 10:28 PM on April 21, 2015


But no, I haven't changed my enormous LastPass password since I started using it, why do you ask? It's all such complicated risk management shit that depends on a constantly evolving "threat landscape," but there are so many pseudo-adages crossing every dimension of password management that they all demand a little interrogation from time to time.
posted by aydeejones at 10:32 PM on April 21, 2015


Chat is now set to handle the more secure passwords. You should be able to log in now if you updated. Sorry about the hassle.
posted by pb (staff) at 10:38 AM on April 22, 2015 [1 favorite]


Mod note: Removed the note about Chat from the post. Thanks everyone who stopped by to test!
posted by pb (staff) at 11:30 AM on April 22, 2015 [1 favorite]


The "help secure MeFi by changing your password" top-of-page banner was momentarily alarming: I already changed it last week, wondered why I was being asked to change it again OMG WAS MEFI HACKED?

(It'd be kinder if the banner was shown only to users still on legacy passwords, but I appreciate that's more specific and throwaway work than simply turning on the "banner to all users" bat-signal.)
posted by We had a deal, Kyle at 2:07 PM on April 22, 2015


Sorry about the scare. Just click the x on the far right in Modern or the hide link in Classic to remove it.

I agree it'd be nice to only show it for people who haven't made the switch, but it'd require another query on every page view. Just know the banner isn't personal and you can hide it if it doesn't apply to you.
posted by pb (staff) at 2:11 PM on April 22, 2015


Changed my password across my collection of devices - PC, iPad and *gasp* BB10.

All seamless.

Mainly posting to say: thanks for doing the work involved to improve security! I really appreciate it.
posted by mandolin conspiracy at 5:06 PM on April 29, 2015


« Older How can someone so clever be such a Bad Detective   |   Distracting the boys Newer »

You are not logged in, either login or create an account to post comments