Maintaining the security of our customers’ data has naturally been one of our top priorities over the years, and we are constantly striving to improve. Here we’d like to share what we’ve done for your security and some of our plans for the future.
Any good sysadmin knows it’s a bad idea to store plain-text passwords. If a database containing plain-text passwords is compromised, user accounts are in immediate danger. To reduce this danger, only password hashes are stored in a database. Unfortunately, while this prevents the direct reading of passwords in case of a compromise, the nature of hashing mechanisms allows attackers to brute force the hash offline.
Multiple layers of protection for passwords
Over the years, we’ve quietly upgraded our password hashing approach to stay current with industry standards. Our password storage scheme relies on a number of different cryptographic functions and protocols in layers, including bcrypt with a per user salt, and an HMAC implementation.
The value of bcrypt is that it is designed to be slow and hard to speed up via custom hardware and GPUs. HMACs strengthens the security of a plain hash function by adding a cryptographic key, and are substantially less affected by collisions than their underlying hashing algorithms alone.
However, having a robust cryptographic protocol for password storage is only part of the solution for protecting your information. A large responsibility for protecting your data lies with you. Best practices for you to use on Openprovider are having a strong password and using two-factor authentication. To make sure our customers have strong password we will introduce reminders to change your passwords every 90 days, and we’d love to hear your thoughts on this matter. At any other time you can change your password in your RCP account by going to Accounts>Security>Password, where you can choose a strong password.
Secondly, we highly recommend that two-factor authentication be used for all your accounts. Most people only have one layer – their password – to protect their account. With two-factor authentication, if a bad guy hacks through your password layer, he’ll still need your phone to get into your account. In order to activate two-factor authentication for an account, one needs to
- Login to the RCP and open Accounts>Security>Two Factor Authentication.
- Install the Google Authenticator app on your smartphone (documentation)
- Choose “Add account” and scan the QR-code (if you cannot scan the code, choose for “Manual entry” and enter the “Secret key” as shown below the QR code.)
- Enter the verification code that you‘ll see on your smartphone into the box “Verification code” and press “Enable”.
After that signing in to your account will work a little differently: