We have recently made two related changes regarding passwords for AcceptIO.com.

First, we have disabled the password change feature of SquirrelMail and enabled the password change feature of Roundcube webmail. See HowTo: Change your password using Roundcube. The reason for this change, besides the coming demise of support for SquirrelMail (SquirrelMail's days are numbered here, EOL 31 Dec 19), is that the password change feature of SquirrelMail was not easily able to support out second change.

Second, we have strengthened the protection we use for storing passwords within the AcceptIO infrastructure. Read on if you are interested in details about that.

You have no doubt seen many news articles about user data breaches at various well-known sites. Breaches sometimes include exposure of user authentication information. We have never had such a breach at AcceptIO.com. Nonetheless, we are proactively taking steps to provide greater protection for password information should it ever be exposed in a future attack.

No competent web site actually stores your password. If a site ever says they can email you your forgotten password (an not merely be able to reset it and give you a temporary password), you should be worried about their information security policies. Instead of storing passwords themselves, AcceptIO.comand other sites store "password hashes". A password hash is the result of applying a complex mathematical transformation to the characters in your password. It is not computationally feasible to start with the password hash and reverse the mathematics to obtain the password. When you log in, the password you use undergoes the same transformation, and the password hash from that is compared to the password hash that is stored with your account information.

How, then, do the bad guys obtain passwords via breaches? They have many well-known tricks for guessing passwords. For example, if your password were some variation of the word "password", perhaps with a number tacked on the end or the letter "o" replace with the digit "0", they could guess your password quite easily. With every guess they make, they apply the same mathematical transformation to it and check to see if they got the correct password hash. With modern equipment, they can make literally millions of guesses per minute.

To slow the bad guys down, we have switched to a password hashing scheme that is intentionally designed to take a lot more computer time to create the hash. When you log in at AcceptIO, that "long time" only adds a few hundredths of a second to your login process. For the bad guy who is trying to make millions of guesses as quickly as possible, it's a significant slowdown.

The password hashing scheme we now use is called "bcrypt". There are plenty of articles describing it with different levels of technical detail. If you are interested, you can start with this short article: https://en.wikipedia.org/wiki/Bcrypt. Your password hash has already been converted to the bcrypt scheme on AcceptIO. No action is required on your part, though if you have a weak password or if you haven't changed it for a few years, we encourage you to do so via the link given above.

   
© 2009-2019 AcceptIO. All Rights Reserved.
Site Terms and Conditions of Use