123

Security update (Read 1161 times)

eric :)


    Hi all,

    A few months ago, I changed the way RA stores passwords, or password hashes to be exact. It is in response to the ever changing security landscape, where hackers would use the passwords obtained from one website against another.

     

    RA has always stored passwords as hashes. However, the hashing algorithm is not sufficiently strong such that under certain circumstances, the passwords could be reconstructed. There was also a 16 character password limit as well. The recent update switched to a stronger hashing algorithm so that no two hashes would be the same.  The hash generation is made arbitrarily expensive so that a brute force attack would take hundreds of years per password using the current computing hardware. The 16 character length limit has also been eliminated so that if you use a password manager, it will allow the entire password instead of truncating to the first 16 characters.

     

    Right now, RA is using both password hashes. If you logged in using your password recently, then it has generated the new hash for you. If you haven't logged in using your password, please go to Options -> Account Info and reenter your password. I'm planning to remove the old password algorithm in the near future, at which point, you will have to reset your password when you try to log in. This is especially important for the some of you that have lost access to your email account, or worse, use fake email addresses. I don't want to verify you really own the account to reset your email address.

     

    This one's for you, JimmyB. I exposed the ability to delete your account by yourself. I haven't added it until now because it is the lowest priority.

     

    eric Smile

    onemile


      I am no longer able to log out of my account. Across multiple computers.  I click Log Out and it takes me to the Home screen but I am still logged in.

       

      Thanks Smile

      bdub


      Shoe Alarmist

        I am no longer able to log out of my account. Across multiple computers.  I click Log Out and it takes me to the Home screen but I am still logged in.

         

        Thanks Smile

         

        Does the page flicker after logout? You may have saved the RA credential in your browser or password manager plugin, which will detect the login form, complete it for you, and submit before you have time to type anything.

        onemile


           

          Does the page flicker after logout? You may have saved the RA credential in your browser or password manager plugin, which will detect the login form, complete it for you, and submit before you have time to type anything.

           

          It does not. I tried deleting my cookies/passwords and then I am signed out but when I sign back in (without the remember me box checked) and then click on Log Out, it takes me back to the home page, leaving me signed in.  I don't have any password manager plugin installed and this just started happening in the last day or two.

             

            It does not. I tried deleting my cookies/passwords and then I am signed out but when I sign back in (without the remember me box checked) and then click on Log Out, it takes me back to the home page, leaving me signed in.  I don't have any password manager plugin installed and this just started happening in the last day or two.

             

            Same.

            eric :)


              Which browser are you using?

              onemile


                Which browser are you using?

                 

                Chrome

                 

                eta - just tried it in Microsoft Edge and IE and it's doing the same

                PDoe


                  Same thing here. Using Chrome but can't log out.

                  bdub


                  Shoe Alarmist

                    logout was working for me in Chrome. I used developer tools to clear my session & cookies for RA. I was hoping to re-create via some setting (saved password, multi-tab, etc) that I could understand & communicate. Unfortunately, I've just managed to re-create but not understand and not un-create.

                     

                    Google Chrome 58.0.3029.110 (Official Build) (64-bit)
                    Revision 691bdb490962d4e6ae7f25c6ab1fdd0faaf19cd0-refs/branch-heads/3029@{#830}
                    OS Mac OS X
                    JavaScript V8 5.8.283.38
                    LedLincoln


                    not bad for mile 25

                      Reset my password, and logging out works for me in Chrome on my Chromebook.

                        So once we log out and back in, we should be fine?  Would this be across all devices, or good as long as we get at least one?

                          Same as everyone else: not able to logout at this point... no matter how many attempts i make, it seems Smile

                            FWIW, I was able to log out just fine.

                             

                            If I change my password to the same as it was before, is that sufficient to get the new hash?

                            Lou, (aka Mr. predawnrunner), MD, USA | Lou's Brews | lking@pobox.com

                            eric :)


                              Hi all,

                              I was able to reproduce the problem on RA but haven't been able to reproduce it on my development machine yet. As far as I know, the logout code haven't changed in months. Since the problem only surfaced after the latest set of changes, I looked through the change list but did not see anything related to logout. I did see a potential problem in the login code but it's been there for months so I doubt that's the problem.  I'll continue to investigate.

                               

                              eric Smile

                              eric :)


                                FWIW, I was able to log out just fine.

                                 

                                If I change my password to the same as it was before, is that sufficient to get the new hash?

                                 

                                As long as you enter a password, that'll generate the new hash.

                                123