Today there's a new endpoint available in 99Stack API:
/v1/account/password which lets you change your password. The method accepts POST data in this format:
"new": "your new password which preferably should be a set of random words like this hard to guess sentence"
Authentication system has been rebuilt with backwards compatibility. We've dropped support for old accounts authenticated with SHA512 only, if you still use a SHA512 password, use
/v1/account/reset to regain access to your account. BCRYPT passwords will still work for a few more months but it's strongly advised to update your password, especially if you use a short password.
What's used today
Today we combine multiple algorithms like this: SHA256+BCRYPT('unique_salt' + 'password'), this allows very long passwords but a limit of 4096 characters has been added for convenience. This isn't necessary a secure setup by definition, but if you use a very long password or passphrase, a hacker would have a really hard time brute force guessing your password.
Why a passphrase
Generally speaking, there are two common methods of securely storing passwords in a database. One is hashing and the other is encryption. More info below.
- Pros: Encryption would provide a decent security, if say the database server where hacked and all passwords leaked. The hacker would then have to obtain the decryption key.
- Cons: to allow logins we would have to store the encryption key on our API servers, these servers can be hacked.
- Pros: Fast validation, even for long passwords, no keys that must be stored and can be leaked, a minor change in input leads to major changes in output, easy to change algorithm to something that requires more computation power to find via brute force guessing.
- Cons: Can easily be brute forced if your password is short and the hacker has access to a decent amount of computation resources and our entire database. We'll protect our database but you shouldn't rely solely on us to protect your account.
Why should I care
As we use a combination of both CPU and memory hungry hash algorithms, your account security depends solely on the length of your password or passphrase. Note that if you choose a very easy to guess sentence someone who knows you might be able to guess it. Choose wisely...
For many years we've been wrongfully taught that a secure password would look something like this:
h@xO0r}=, but that's only 8 characters where each character can be 50-100 different types. This can be hard for a human to guess but very easy for a computer.
Using a password like:
h@xO0r}= and SHA256 as your only hash algorithm means at worst 3.9*10¹³ possible combinations, which means it'll take a hacker a few seconds to brute force your password using an old Bitcoin ASIC miner worth $1000. With BCRYPT the brute force becomes a little bit harder as it relies on memory. However, that would only extend the time from a few seconds to a few hours.
Let's say you where using a 12 word sentence instead of a password. In our example we're using a word list with 3000 words which is then used to generate a random 12 word sentence. That means 3000¹² possible combinations a hacker would have to brute force: (5,31441×10⁴¹) Taking the weak SHA256 algorithm as well a hacker would be able to test 10¹² combinations of words each second using an old Bitcoin ASIC miner, that means 5,31441×10²⁹ seconds, or 6,1509375×10²⁴ days, or 1,685188356×10²² years before finding your password.
Update your password and consider using a passphrase as soon as possible to protect your account.