Sunday, February 20, 2011
We've been busy rolling out some new updates including some security enhancements - no passwords are stored on our site or emailed to users. We are using a neat hashing system which includes a per-user salt and purposely introduced collisions to make recovering a password highly unlikely (you must now follow an email link to reset your password). With some recent media reports of other major websites having their databases hacked and leaked publicly, we decided that with a good chance a lot of our users re-use passwords for PayPal or email accounts, we should make reversing our hashes as difficult as possible - which is why we're only storing partial hashes making a brute force password guessing attack less successful. Combined with incremental timeouts for incorrect passwords, and 128 bit SSL encryption of logins, we think our secure account system is the standard all sites should strive to meet.