mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_dev2020-04-25 01:50 pm
  • Add Memory
  • Share This Entry
Entry tags:

Updates on the security changes (how to keep your client working!)

Hi all,

I've got a few updates from the recent post on security changes. First, thanks everybody for the thoughts! Loved it. :)

So the main changes:

  • After consultation with some actual experts in the security space, I've added a pepper phase to the authentication storage. The TL;DR here is that we will be symmetrically encrypting the hashes before we store them in the database.

    The reason to do this is that it means a database breach (if one were to occur) would not provide the attacker with any useful data. In order to even get the hashes to start attacking them, the attacker would have to mount a second successful attack in order to exfiltrate the encryption key (which is not stored in the database at all).

    While in practice, the bcrypt hashes are probably all anybody really needs, it's very low cost for us to add this additional measure to the system. For the technically curious, we are using AES-256 encryption on our web servers and we have the ability to rotate keys over time, should we choose to do so.

  • Secondly, we have implemented [personal profile] pinterface and [profile] momijizukamorki's idea to use API keys as 'app passwords' to enable clients to continue to authenticate against Dreamwidth. This means Semagic and other clients can continue to work, but you will need to reconfigure them. See below!

Those are the main changes. Otherwise, tomorrow's code push will deploy the underpinnings of our new authentication storage and bring us into the modern age. At least when it comes to authentication storage. :)

Supporting Semagic (AFTER password changes are deployed)

Ok, so to use Semagic (and other clients), you will need to:

  1. Navigate to the Mobile Post Settings page.
  2. Click the Generate New API Key button in the Manage API Keys section.
  3. Copy the API key that was generated.
  4. Change your Semagic password to the API key you copied.
  5. That's it, have fun!

If you have any trouble with this, please let us know.

Threaded | Flat
runpunkrun: spires of atlantis with a christmas tree and two ice skaters on the pier, text: it's christmastime in the city (Default)

[personal profile] runpunkrun 2020-04-25 09:07 pm (UTC)(link)
Thank you so much for doing this for us! I'm excited to try it out tomorrow.
falena: illustration of a blue and grey moth against a white background (Default)

[personal profile] falena 2020-04-25 10:14 pm (UTC)(link)
I don't use Semagic but I'm thrilled to see you found a way to make it work for the people who do. This is the reason why I am so happy to be one of your paying customers and why I treasure this website so much. Thank you.
erika: text: moderation is like a foreign language. you have to learn that shit when you're young. (words: moderation)

[personal profile] erika 2020-04-26 01:53 am (UTC)(link)
Thank you so much! I can barely write in anything but Semagic anymore, hilariously, so I'm really, really grateful for this.
gatheringrivers: (Break out the champagne)

[personal profile] gatheringrivers 2020-04-26 03:20 pm (UTC)(link)
Yay for better security!
silvan_lady: (Default)

[personal profile] silvan_lady 2020-04-26 08:44 pm (UTC)(link)
Thank you for finding a workaround as I use Semagic all the time for several accounts. I really appreciate that you've thought of that and already posted a fix!

However, after pasting the API key into Semagic and signing in via Semagic, I get a warning telling me that my password isn't secure and that I should change it.

Am I correct to assume I just have to ignore that and click past it each time?

Also on the topic of Semagic, I have one journal where Semagic will pull out previous entries with no problem and another where I always get the response Server Reply is broken and cannot be processed. If I click on Show Server Reply a window of code opens. If anyone knows how to fix that, I'd be even more delighted!
matrixmann: Engineer und tools at your service (Somebody called me?)

[personal profile] matrixmann 2020-04-27 11:39 am (UTC)(link)
Hm... Went through the big article on security changes and I think this might explain why Ljarchive as of today only returns the response "Sync error - invalid password" when using it for Dreamwidth (which previously worked fine).

If anyone should have an idea how to make this useable again, please make it public. (I don't know how many are out there which still use that program.)
Edited 2020-04-27 11:40 (UTC)
11221975: (Default)

[personal profile] 11221975 2020-04-27 12:52 pm (UTC)(link)
Thank you for this. However, for LJ Account Juggler, it still doesn't work. You have to log each account in, and there's nothing to add the API key to. How do I get that to work now? Would I have to change the PW for every single one of my DW accounts to the API Key to make it work?
Edited 2020-04-27 12:54 (UTC)
lovingboth: (Default)

[personal profile] lovingboth 2020-04-27 01:48 pm (UTC)(link)
The change did break Drivel's login.

Getting an API key and using it as the password unbroke it :)

Thank you!
0mkara: (Default)

Semagic

[personal profile] 0mkara 2020-04-27 06:48 pm (UTC)(link)
I get the part about generating a new API Key and using it as a Semagic pw, but I have not been able to make Semagic work at DW for a very long time. Are there instructions for checking the other correct Semagic boxes as well as putting in the correct URL and security port number?
anysia: (Kittypix)

[personal profile] anysia 2020-05-19 12:30 am (UTC)(link)
Thanks for the info. I really didn't want to use OpenLiveWriter for my weblog. It works, but I prefer Semagic interface.
katekintail: (Default)

[personal profile] katekintail 2020-08-06 08:17 pm (UTC)(link)
Thank you! I thought I was going crazy not being able to get Semagic to work, but now I know why it kept telling me my password was invalid. Thank you so much for this fix!
anysia: (Moping)

[personal profile] anysia 2020-08-07 02:54 am (UTC)(link)
Chiming in a bit late here again, but I booted into my Windows 7 boot drive, and launched Semagic. I Changed password to the generated API key I had made for Semagic on my Windows 10 boot drive. It was wrong. How long is a temporary IP ban with Semagic? *sigh*
vesper_evensong: (Default)

[personal profile] vesper_evensong 2022-04-19 10:23 pm (UTC)(link)
How long do I need to wait when Semagic says I tried to login too many times?
adelate: (Lion)

[personal profile] adelate 2023-08-06 08:33 pm (UTC)(link)
I'm here over a year later, but... is Semagic still meant to work? I used it years and years ago and still have it installed, but even after doing this API Key step I keep getting a server error (400) when I try to log in. Is there a place where I could check if my settings are correct?
Threaded | Flat