Word Definition

A web site on which I was registering said "Your password must be alpha-numeric and a minimum of 6 characters."  I had an argument about this language with the customer service agent, but I may be wrong.  I would interpret this as meaning that all the characters in the password must be from the alpha-numeric set, as opposed to, say, symbol characters.  Therefore "asdfasdf", "12345678", and "asdf1234" would all meet the stated test.  The customer service agent said that I was totally wrong, and went so far as to inform me their web designer has a PhD in English.  Her contention was that alpha-numeric clearly means "must contain both a minimum of one alphabetical character and at least one numeric character."   In my example above, only "asdf1234" would therefore qualify.   Anyone have an opinion on this, or a definitive source?

If, from this and previous posts, folks out there are drawing the conclusion that I am losing patience with customer call centers, they would be correct.


  1. AC:

    Most definitions I found say something like "pertaining to a character set that contains letters and numerals and usually other special characters." I would read "must be alpha-numeric" as describing the set you are limited to when choosing characters, and not as requiring both letters and numbers.

  2. CRC:

    My comment is that the statement "Your password must be alpha-numeric and a minimum of 6 characters." has the ambiguity that one might expect from a PhD in English. ;-)

  3. ErikTheRed:

    Your argument is correct. They're problem is that they're miscommunicating their intent. That's all moot, because you'd be crazy to do business with an organization who hires a PhD in English to design their web site.

    Generating "good" passwords is a wonderfully complex subject because password generators for brute-force attempts have gotten pretty damned smart. We're just about to the point where there's no good way to have passwords that are easy to memorize and capable of withstanding a reasonable brute-force attack. IHMO, at this point the focus needs to shift to preventing brute-force attacks. This is a fun subject too, because the most obvious answer ("disable the account after n attempts") allows someone to easily perform a denial-of-service attack on whatever service you're trying to provide - they can effectively shut you down by deliberately locking people's accounts with bad attempts.

    I'll stop rambling now, but the point is that they'd (and you'd) be better off if they made their login process smarter rather than worrying about how many characters of this or that you have in your password.

  4. jwh:

    The wording on the web site is obviously imprecise. 'Alpha-numeric' has always meant to me that characters are drawn from any combination of alpha and/or numeric characters. What they should have said is something like this:

    "Your password must be a minimum of 6 characters long and contain a mix of alpha and numeric characters"

  5. Bill:

    Speaking of ambiguity, it isn't clear to me whether the Service Rep referred to the designer's PhD as justification or an excuse.

    FYI, I hung up on two calls today to two different companies when the Reps asked for the information I had been required to enter in order to get to the Reps. I'm not getting much done, but a lot of hostility is being vented!

  6. Zach:

    POSIX regular expressions allow [:alnum:] which is equivilent to [A-Za-z0-9], so 6 of these would be the regular expression [A-Za-z0-9]{6,} . And that expression would indeed match "asdfasdf", "12345678", and "asdf1234", provided their max length is greater than or equal to 8.

    With regard to data entry, I'll take POSIX's definition over that from a PhD in English anyday.

  7. agammamon:

    1. I agree with the others - alpha-numeric means from the set of alphabetical and numrical charactrs, but doesn't require both.

    2. Its an indication of the ridiculous amount of importance we place on degrees that a guy who spent all that time and effort to get an English degree is actually making money designing websites.

    3. Seriously - an English PhD? What sort of remotely quasi-original work could a student do in this field?

  8. Jared:

    (1) For what it's worth, I think you've got the right definition. Anytime I see "alphanumeric" used it is referring to a token composed of symbols from the set of letters and numbers.
    (2) Having a PhD in English is entirely irrelevant to your ability to define a word, especially one belonging to a technical jargon. English PhDs aren't awarded due to mastery of definitions and more than Economics PhDs are given for figuring the right tip for the pizza guy.
    (3) A simple way to defend brute-force attacks is to require a time delay between entering the incorrect password and re-trying. Even a two second delay will make force attacks pretty unattractive without disrupting the user experience much, especially if you enforce the delay in the time between submitting the password and reporting the result back to the client. Better yet, link the delay to a geometric series, so you have to wait maybe twice as long between successive attempts, throw in a CAPTCHA after the first few misses, and your black hat is going to go looking for some lower hanging fruit.

  9. David:

    Our security requirements state:
    All passwords must be at least eight characters long and must contain characters from
    at least three of the four categories listed below:

    1). Must include [at least 1] Number (between 0 and 9)
    2). Must include [at least 1] Special Character (!@#$%^&*())
    3). Must include [at least 1] Upper Case Character (ABCDE...)
    4). Must include [at least 1] Lower Case Character (abcde...)

    Their specified requirements were vague and the rep clearly wrong. To me alphanumeric would mean any combination of letters and numbers and needn't include both.

  10. Behemoth:

    Is anyone surprised that a PhD in English qualifies you only to be a website designer? Consider me *shocked*.

  11. Josh:

    I hate it when people claim the instructions were "imprecise". They were not. They communicated, in a crystal-clear way, a message that the writer did not intend. The word "alphanumeric" has a very specific meaning and should not be blamed when a PhD misuses it.

  12. T J Sawyer:

    Well, of course you (and the people who commented above) are correct. Alphanumeric has a very precisely defined meaning in the computer world. Your PhD friend is simply in the process of adding a new definition to the dictionary.

    Consider what has happened to the word "organic." Seeing "Organic Chicken" in the grocery store has always made me laugh. Of course, all chicken is organic! Carbon based. Derived from living beings.

    But just try telling that to someone who believes in only eating organic food. And I'll be damned if they haven't managed to get it into the dictionary now!

  13. Allen:

    I'm wrapping up writing a general validation library at work right now; that's right, I do programming for a living. I don't have any fancy degrees but a cornerstone of the generic validation stuff is using terms like that. If I hadn't used them properly at least one or three of my peers would've called me out on.

    It's too bad you weren't a bit more quick on your toes. When you were told the web designer had a PHD in english you had so many possible replies :

    a) Well then, please transfer me to their extension so I can tutor them on what alphanumeric really means.
    b) A PhD in English? Well that explains it. People need a Computer Science degree to do programming.
    c) Are you telling me that only one person worked on that entire web site? Are you that careless with everything else you do?

  14. Roy Lofquist:

    Dear Sirs,

    The online environment is psychotic. There isn't one "IT professional" in a thousand who has any idea why they do what they do. How often do you really need a password? Why do you need a password to access public information? Why do you need a password to continue on to an article on the LA Times website? Why should password metrics be enforced when the site has no need of security?

    You do need passwords when there are potential consequences for fraud. I use a password for my online banking. My bank enforces a minimum and maximum length but really doesn't care what's in there. That's up to me. The same pertains to my online payments. Brighthouse, Bell South, FPL, etc. all let me use my universal password (*******). It is very convenient and suitably secure for major corporations processing large volumes of financial transactions. Then some game website wants me use "at least one numeric and at least one uppercase character". Sorry Charly, I won't be back. I don't like your attitude.

    Lest you believe that this is an uninformed rant I might mention that I started on vacuum tube computers, was intimately familiar with a number of national security systems including the launch protocols for ballistic missiles and was in the field for 45 years. In the beginning there was KISS - Keep It Simple Stupid. Turing's children are lost in the wilderness.


  15. jim:

    I think all of the above postings were politely avoiding the real issue with this posting. I'm sure this wise audience did recognize that the salient point of the posting is not the meaning of alpha-numeric. The issue is really Coyote's ongoing frustration with Call Centers. I doubt there is any solution, while there will be much sympathy and empathy from all of us friends (all of we friends??) of his. I do think I know the basis, however (of the Call Center ineffectiveness/neurosis). Like essentially all problems, according to the earlier post, is part of the new Unified Field Theory: the poor center employees, constantly being exposed to the pressures of living in such a hostile world, where all is rapidly heading to hell in a handbasket---on every imaginable front---are just coming apart. Another item for the UFT List: Call Center Operator Deterioration.

    By the way: my Dad taught me that one should always write to the audience's ears, not eyes. What the Phd should understand is not "what is a dictionary definition", but what will most people understand the phrase to mean? In other words, as JWH said: "Your password must be a minimum of 6 characters long and contain a mix of alpha and numeric characters", assuming this is what our Phd meant.

  16. Xmas:

    They should say, "Your password must be l33t"

  17. Jeff Ellis:

    Merriam's online dictionary says "consisting of both letters and numbers." Nevertheless, their web designer is being extremely pedantic. And just saying your password must be "alphanumeric" rather than saying your password "must include both numbers and letters" assumes that the general public will know this is what alphanumeric means -- which is clearly not the case (given your post and the comments). Thus the web designer has very poor human factors engineering skills. And what kind of a loser has a PhD in English but does web design? LOL.


  18. Jim Collins:

    Roy, you of all people should recognize that passwording sites containing public information, such as newspapers, is just a scam. The objective is to get you to give up personal information (name, address, e-mail address) so that they or who ever they sell this information to can subject you to advertising.

    PhD in English? Sounds like someone else found out that their Liberal Arts Degree was only good for lining their parakeet's cage and had to go and get a real job.

  19. morganovich:

    one quite likely possibility that seems to be being ignored here is that an exasperated and none too bright customer service rep got aggressive and lied about the web designer having a PhD in english.

    would hardly be the first time someone made incredible and exaggerated claims about the credibility of a source to avoid having a factual discussion of issues they didn't understand.

  20. Brian:

    You're right, technically. But alphanumeric is what is used to mean 'you gotta mix numbers and letters together'.

    But were I a CSR I would not get snotty about it.

    went so far as to inform me their web designer has a PhD in English.

    Whoop-te-do! But a lot of people 'in IT' drift here with degrees seemingly unrelated to the task at hand. It's a career that rewards people who can study up on subjects quickly by reading a book and fiddling with stuff.

    How often do you really need a password? Why do you need a password to access public information? Why do you need a password to continue on to an article on the LA Times website? Why should password metrics be enforced when the site has no need of security?

    Because the auditors tell us we need to provide password and user accounts and enforce 'tough' passwords. That we are subject to fines and our CIO/CEO will go to jail if we don't follow the rules.

    It's not about security, it's about legality.

    KISS has been trumped by CYA. Welcome to the 21st century!

  21. Jim:

    I once had a guy with a PhD in English working for me as a sewerage treatment plant operator, so I know what I'm talking about!

    I often am amused when ordering on line from a site offering "free shipping within the continental US" to find, after ordering, that they won't ship to Alaska!

    Just in case anybody reading this writes such copy, the phrase: "free shipping within the contiguous 48 states" is clear and unambiguous.

  22. Max Lybbert:

    Programmers use "alphanumeric" the way you do. However, I once worked somewhere that believed in the PhD's definition. Honestly, if it causes confusion, they ought to re-word the phrase. Outside of programmers, not many people know the word.

    "Your password must be at least 6 characters long, and include both letters and numbers."

  23. Jay:

    At first read (and without reading the surprising number of preceding comments first), alphanumeric means exactly what you think it means. It does not include symbols. It does not specify a minimum or maximum of which subset within alphanumeric might be required under the specific password policy. It is nothing more than a shorter way of saying "can contain numbers, not just letters." That said, I guess I can see how someone could take it to mean "must contain numbers, not just letters" in that context. It's just a crappy way of trying to say so.

  24. TC:

    I'd suggest you disclose this "site" so we can all go there and submit "valid" passwords as per their instructions. Just because their "piled higher and deeper" english proff don't know tech english is not your problem. Maybe it would be the first time in history that a phd can actually be taught something!

    Awe, just tell them you spent your 100K elsewhere, like, on a site that actually spoke english!