On Sun, 1 Apr 2023 12:00:00 UTC we will start to remove API tokens created before October 2021. This is due to a potential security vulnerability caused by the way these tokens where generated. Do note that new tokens created after October 2021 are secure and will not be affected.
How will this affect me?
If you are currently using an API token created before October 2021, it will no longer work after Sun, 1 Apr 2023 12:00:00 UTC.
Can I still login?
Yes, accounts with no token at all will generate a new secure token automatically after login. This can be found on the API token page: https://dash.99stack.com/auth/manage-api-tokens.
What will happen if I try to use an old token after the deadline?
The API will respond with a authentication denied 403 error.
Can I get more time to migrate?
Maybe, please reach out to support to discuss the options.
What is the problem with the old tokens?
Original tokens where created as a hash of your email address, full name and 10 random characters. This may potentially allow someone who knows your personal information to brute force any of your old API tokens still on your account, thereby taking control over your account.
The odds of success is 1 in 100 000 000, if the attacker knows your personal information and use one device on our most generous endpoint which allows 50 authenticated calls per second for one full year 24x7.
How are the new keys more secure?
We've upgraded to bcrypt+sha256 using a 256 character long string of fully randomized input data, and no personal information at all. Additionally the UUID's are more randomized as well.