Mountain Project Logo

Concerning password character limits

Original Post
Cruxic · · Corvallis, OR · Joined May 2011 · Points: 15

Hello,

I recently tried to change my mountain-project password but was given this error:

"Your password must be between 6-20 characters using only letters and numbers."

This alpha-numeric limitation goes against the modern best-practices that passwords should contain special characters. Such passwords are stronger.

It also raises a deeper concern: this limitation could indicate that passwords are being stored as plain-text in the database, as opposed to the industry-standard salted hash .

Lifting this restriction might be a simple as changing a regex somewhere. If the problem is deeper I'm willing to volunteer and help fix it (I'm a professional software developer by day).

Thanks for creating an awesome place to share our love of the mountains!

grog m · · Saltlakecity · Joined Aug 2012 · Points: 70

Please dont.

Josh Janes · · Unknown Hometown · Joined Jun 2001 · Points: 9,954

Totally agree. The inability to use a special character is pretty archaic not to mention insecure.

jkw · · Unknown Hometown · Joined Apr 2015 · Points: 10

Actual best practices for password requirements are to allow any characters but not require anything in particular except to enforce a minimum length of at least 10

Marc801 C · · Sandy, Utah · Joined Feb 2014 · Points: 65
Josh Janes wrote:Totally agree. The inability to use a special character is pretty archaic not to mention insecure.
Arguably a password created using the first letter of each word of a 20 word pass-phrase can be much more secure than an 8 alpha-numeric character password that contains a single special character.

In any case the use of special characters should be allowed but not required.
Rick Blair · · Denver · Joined Oct 2007 · Points: 266

You guys are incorrect. Length is the number one determining factor for password strength. Special charachter requirements often prevent people from memorizing long passwords or pass phrases. Letters, numbers and long passwords are what is needed. Not against special chars, just against requiring them.

jkw · · Unknown Hometown · Joined Apr 2015 · Points: 10
Rick Blair wrote:You guys are incorrect. Length is the number one determining factor for password strength. Special charachter requirements often prevent people from memorizing long passwords or pass phrases. Letters, numbers and long passwords are what is needed. Not against special chars, just against requiring them.
That's what two of us already said.
Rick Blair · · Denver · Joined Oct 2007 · Points: 266
jkw wrote: That's what two of us already said.
It's Mountain Project, we need at least 12 people to say the same thing worded differently.

Seriously though, I started typing my response and got distracted by work, when I came back and hit "submit" I was down the list.
jkw · · Unknown Hometown · Joined Apr 2015 · Points: 10
Rick Blair wrote: It's Mountain Project, we need at least 12 people to say the same thing worded differently. Seriously though, I started typing my response and got distracted by work, when I came back and hit "submit" I was down the list.
It's all good. Sorry if I sounded like a wanker. When it comes to this stuff it's probably good to have lots of people say the same thing, as it seems like very few people get it.
Marc801 C · · Sandy, Utah · Joined Feb 2014 · Points: 65
jkw wrote: It's all good. Sorry if I sounded like a wanker. When it comes to this stuff it's probably good to have lots of people say the same thing, as it seems like very few people get it.
And it looks like we posted at about the same time.
Looking at some of the active threads on MP at the moment, this one has a good chance of devolving into a debate about pre-hung draws on a sport route and the nuances between redpoint and pinkpoint as well. Now how we get there from here is open to conjecture.
jkw · · Unknown Hometown · Joined Apr 2015 · Points: 10
Marc801 wrote: And it looks like we posted at about the same time. Looking at some of the active threads on MP at the moment, this one has a good chance of devolving into a debate about pre-hung draws on a sport route and the nuances between redpoint and pinkpoint as well. Now how we get there from here is open to conjecture.
Does the send count if I go to tick my route on MP while at the anchors and it takes me two tries to log in because my password was too complicated to type while pumped?
Jack Servedio · · Raleigh, NC · Joined Feb 2016 · Points: 35

The sign up and login are also done in the clear - not over TLS. So, if you are using a laptop on an open network (or a larger network like Panera), your password is being sent in plain text as well. The passwords appear to be plain MD5 and are stored and sent via cookies.

The password requirements are the least of your worries. Don't use the same password on ANY forum as you do for something important. There isn't a whole lot of information that can be stolen from MP.

Not to mention that "PMs" are actually e-mails sent via the server - setting the "reply-to" address as your actual e-mail address. If you don't use your real name, it exposes your e-mail address to the user you sent a PM to.

tl;dr - Don't use the same password for MP as you do for important stuff - it can be very, very easily intercepted.

patto · · Unknown Hometown · Joined Jul 2012 · Points: 25
jkw wrote:Actual best practices for password requirements are to allow any characters but not require anything in particular except to enforce a minimum length of at least 10
THIS. Most password requirements that sites implement makes remembering the password difficult and thus it is more likely to be written down and in secure.

Pass-phrases are far better.

I think THIS summarises it quite nicely.
Passwords, xkcd

For those who aren't mathematically inclined, consider that EVERY 3mx3m square on earth has now been given a unique three word designator. All 5,700,000 MILLION places on earth.

The ranger's office in camp for example is "several.amended.crispy".
Phil Lauffen · · Innsbruck, AT · Joined Jun 2008 · Points: 3,098

And its.... mountain project. Your important passwords will have special characters. What are you worried about? Someone posting dumb shit on forums in your name? That job is already taken care of.

Ryan Nevius · · Perchtoldsdorf, AT · Joined Dec 2010 · Points: 1,837
patto wrote: THIS. Most password requirements that sites implement makes remembering the password difficult and thus it is more likely to be written down and in secure. I think THIS summarises it quite nicely.
Again, nobody suggested that special characters should be required.
Marc801 C · · Sandy, Utah · Joined Feb 2014 · Points: 65

Unfortunately that xkcd advice doesn't quite work as well as it once did. Read this if you want more:
schneier.com/blog/archives/…

And that is 2 years old at this point. I suspect even that advice is a little dated.

christopher adams · · Unknown Hometown · Joined Apr 2006 · Points: 0
Cruxic wrote:Hello, I recently tried to change my mountain-project password but was given this error: "Your password must be between 6-20 characters using only letters and numbers." This alpha-numeric limitation goes against the modern best-practices that passwords should contain special characters. Such passwords are stronger. It also raises a deeper concern: this limitation could indicate that passwords are being stored as plain-text in the database, as opposed to the industry-standard salted hash . Lifting this restriction might be a simple as changing a regex somewhere. If the problem is deeper I'm willing to volunteer and help fix it (I'm a professional software developer by day). Thanks for creating an awesome place to share our love of the mountains!
For this type of thing, a risk based approach is appropriate.

If someone steals your mountain project password, what's the worst thing that can happen?

Somebody messes with your ticklist or ruffles a few feathers on the board?

L O L
Jack Servedio · · Raleigh, NC · Joined Feb 2016 · Points: 35

Why does the effort it takes to brute force your password matter at all when it is being sent in cleartext?

Chris Owen · · Big Bear Lake · Joined Jan 2002 · Points: 11,617
patto · · Unknown Hometown · Joined Jul 2012 · Points: 25
Marc801 wrote:Unfortunately that xkcd advice doesn't quite work as well as it once did. Read this if you want more: schneier.com/blog/archives/… And that is 2 years old at this point. I suspect even that advice is a little dates.
Have a read of the comments. Start using using many multiple random words and you quickly bring up the 'entropy'.

But more to the point this is a forum not a bank. Regardless, any any online password routine shouldn't allow high speed password guessing. For more important things it should lock you out.

As far as I'm concerned my forum accounts are insecure to a hacker. Do I care?
Marc801 C · · Sandy, Utah · Joined Feb 2014 · Points: 65
patto wrote:As far as I'm concerned my forum accounts are insecure to a hacker. Do I care?
If someone started posting child porn or death threats toward public or political figures under your name/account, I think you might care a bit.
Guideline #1: Don't be a jerk.

Discuss MountainProject.com
Post a Reply to "Concerning password character limits"

Log In to Reply

Join the Community

Create your FREE account today!
Already have an account? Login to close this notice.

Get Started.