Today there's a new endpoint available in 99Stack API: /v1/account/password
which lets you change your password. The method accepts POST data in this format:
{
"email": "your_email@example.com",
"password": {
"old": "your_old_password",
"new": "your new password which preferably should be a set of random words like this hard to guess sentence"
}
}
Authentication system has been rebuilt with backwards compatibility. We've dropped support for old accounts authenticated with SHA512 only, if you still use a SHA512 password, use /v1/account/reset
to regain access to your account. BCRYPT passwords will still work for a few more months but it's strongly advised to update your password, especially if you use a short password.
What's used today
Today we combine multiple algorithms like this: SHA256+BCRYPT('unique_salt' + 'password'), this allows very long passwords but a limit of 4096 characters has been added for convenience. This isn't necessary a secure setup by definition, but if you use a very long password or passphrase, a hacker would have a really hard time brute force guessing your password.
Why a passphrase
Generally speaking, there are two common methods of securely storing passwords in a database. One is hashing and the other is encryption. More info below.
Encryption
- Pros: Encryption would provide a decent security, if say the database server where hacked and all passwords leaked. The hacker would then have to obtain the decryption key.
- Cons: to allow logins we would have to store the encryption key on our API servers, these servers can be hacked.
Hashing
- Pros: Fast validation, even for long passwords, no keys that must be stored and can be leaked, a minor change in input leads to major changes in output, easy to change algorithm to something that requires more computation power to find via brute force guessing.
- Cons: Can easily be brute forced if your password is short and the hacker has access to a decent amount of computation resources and our entire database. We'll protect our database but you shouldn't rely solely on us to protect your account.
Why should I care
As we use a combination of both CPU and memory hungry hash algorithms, your account security depends solely on the length of your password or passphrase. Note that if you choose a very easy to guess sentence someone who knows you might be able to guess it. Choose wisely...
For many years we've been wrongfully taught that a secure password would look something like this: h@xO0r}=
, but that's only 8 characters where each character can be 50-100 different types. This can be hard for a human to guess but very easy for a computer.
The math
Using a password like: h@xO0r}=
and SHA256 as your only hash algorithm means at worst 3.9*10¹³ possible combinations, which means it'll take a hacker a few seconds to brute force your password using an old Bitcoin ASIC miner worth $1000. With BCRYPT the brute force becomes a little bit harder as it relies on memory. However, that would only extend the time from a few seconds to a few hours.
The passphrase
Let's say you where using a 12 word sentence instead of a password. In our example we're using a word list with 3000 words which is then used to generate a random 12 word sentence. That means 3000¹² possible combinations a hacker would have to brute force: (5,31441×10⁴¹) Taking the weak SHA256 algorithm as well a hacker would be able to test 10¹² combinations of words each second using an old Bitcoin ASIC miner, that means 5,31441×10²⁹ seconds, or 6,1509375×10²⁴ days, or 1,685188356×10²² years before finding your password.
Conclusion
Update your password and consider using a passphrase as soon as possible to protect your account.