On November 1st 2016, we implemented one of several new security features intended to protect our users. One of them will require certain users to reset their passwords and we would like to explain how it works, what the message means and the implications.
The security we added that will cause an account to be temporarily inaccessible until a password reset is a check for the email being compromised on other sites which got hacked. We use a freely available service located at https://haveibeenpwned.com where we check your login email against the database they have of compromised accounts. If the service says your account has been compromised somewhere, we disable the account until you reset your password.
We want to make a few things clear:
1) We do not have access to your passwords on other sites!
The service does not return that information and it doesn't even have it.
2) Other people may have access to your passwords on other sites
While the service does not have it, the databases are usually freely available online to download. If your email is listed, we recommend changing your password on every site that you used the same password.
3) We recommend you to use random passwords
Not directly related, but avoiding passwords you use on other sites and even using random passwords is the best way for site compromises to not effect you. At the bottom of this article we will link to some recommended services and programs you can use.
How to understand haveibeenpwned
For anyone who is not technical, we want to make it a little bit easier to understand. After entering your email you will either get the all green showing you have not been part of a hack elsewhere (woohoo!) or you will get a list of sites that have been compromised that had your email as part of it. If that is the case, you will see what has been leaked and possibly how the password was stored (if the password was leaked as well.)
If your password was leaked, they may have the type of encryption or hashing used. This is what "secures" your password. Below are 4 of the popular types:
Plain text - The worst of the worst. Your password was not encrypted or hashed. It could be seen without any technical knowledge. No matter how strong your password was this will negate it.
MD5 - A hashing method which converts your password (ex: "password") into gibberish (ex: "7815696ecbf1c96e6894b779456d330e"). Unfortunately it's not secure at all. Any database leak will allow people to brute force the hashed password at 25 billion attempts per second with a current generation video card. Every video card adds another 4.5 billion attempts per second. If your password is less than 12 characters long or uses words, considered it broken.
SHA1 - Another hashing method which does the same as above. It's also broken like above and the same can be said for it.
SHA256 or SHA512 - These are better than the previous, but can still be brute forced at around 3 or 1 billion attempts per second.
BCrypt - One of the newest hashing methods used and the one most recommended. Security of these hashes are flexible and the site owner can increase or decrease it by changing a single value. Passwords hashed using this using a very low (insecure) setting is 13,000 per second. Standard security settings make it ~32x -> ~100x slower. Usually you'll be safe, but we still recommend changing your password.
How we protect your account
As you may have experienced one part already, we require resets of every person listed on haveibeenpwned. We also take your account very seriously. Every password is hashed with BCrypt using a very slow (secure) setting. We never store or log your password unhashed, and none of our staff have access to it. We also upgrade our security settings of that method when we have more processing power available so it becomes even more impractical for hackers.
When a password is requested to be reset, you are sent a link that is only active for 20 minutes and after which no longer works. Staff do not have access to see what your link is. Every time you request a password reset the link is changed and the old ones disabled.
Access logs to your account will be made available which shows when and where your account was logged in from (IP and Country.)
For those wishing to, we offer white listing of IP Addresses and countries so if your password is ever compromised elsewhere (and your using it here which you shouldnt be) you can make sure only authorized locations can access your account.
That is everything we offer for you to use and interact with. We have significantly more security precautions and systems that monitor for any suspicious activity on the site or servers.
Recommended password managers
We do not vouch nor support the below. Please choose by yourself if you think you may want to use one. We will not offer help for any of them.
https://www.lastpass.com/ - Cloud based, sync between all your devices and computers.
https://1password.com/ - Cloud based, sync between all your devices and computers.
http://keepass.info/ - Download based
https://pwsafe.org/ - Download based