Updates on the security changes (how to keep your client working!)

[mark]

Hi all,

I've got a few updates from the recent post on security changes. First, thanks everybody for the thoughts! Loved it. :)

So the main changes:

• After consultation with some actual experts in the security space, I've added a pepper phase to the authentication storage. The TL;DR here is that we will be symmetrically encrypting the hashes before we store them in the database.

  The reason to do this is that it means a database breach (if one were to occur) would not provide the attacker with any useful data. In order to even get the hashes to start attacking them, the attacker would have to mount a second successful attack in order to exfiltrate the encryption key (which is not stored in the database at all).

  While in practice, the bcrypt hashes are probably all anybody really needs, it's very low cost for us to add this additional measure to the system. For the technically curious, we are using AES-256 encryption on our web servers and we have the ability to rotate keys over time, should we choose to do so.

• Secondly, we have implemented pinterface and momijizukamorki's idea to use API keys as 'app passwords' to enable clients to continue to authenticate against Dreamwidth. This means Semagic and other clients can continue to work, but you will need to reconfigure them. See below!

Those are the main changes. Otherwise, tomorrow's code push will deploy the underpinnings of our new authentication storage and bring us into the modern age. At least when it comes to authentication storage. :)

Supporting Semagic (AFTER password changes are deployed)

Ok, so to use Semagic (and other clients), you will need to:

1. Navigate to the Mobile Post Settings page.
2. Click the Generate New API Key button in the Manage API Keys section.
3. Copy the API key that was generated.
4. Change your Semagic password to the API key you copied.
5. That's it, have fun!

If you have any trouble with this, please let us know.