Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ). I have not one single duplicated password.
Your amazing product keeps my data safe every single day.
Sure enough, there was a 40 character, numbers + symbols password. Headed to my 1password vault and checked the password. I received an email from MyFitnessPal today and of course the news-breaking headlines. I know you get hundreds of emails but I can’t help but send this email. Thank you for the inspiration, Benjamin! ❤ A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation.įor those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt. The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously. Payment card data was not affected because it is collected and processed separately. The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. We use this in 1Password and are quite smitten with it. It’s possible to go even further than bcrypt and avoid sending passwords to the server by using Secure Remote Password. Our Chief Defender Against The Dark arts wrote at length about bcrypt and how it can be used to protect user passwords. Instead they stored a hash of the password, most of which were created using bcrypt. MyFitnessPal was much smarter than that as they never stored the actual password.
The fact that Have I Been Pwned? now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is. Many sites choose to store the plain text password, which is bad. Or more to the point, how they didn’t store passwords. Strong unique passwords FTW! 🙂 Secure Handling of PasswordsĮqually commendable was how MyFitnessPal stored passwords in their systems. And since I only used this password on I didn’t need to update any other websites. I wasn’t overly attached to qdd84b7UayEwM9J6dZV anyway so I didn’t mind changing it.
0 kommentar(er)
