04.02.2018
The service has introduced a new way to store and manage user passwords. Now all passwords are stored as hashes without the possibility of their recovery and theft. Previously, the system used only one common password for the personal account and for the API, which is why in case of changing the password from the personal account, it was necessary to change the passwords in all programs that work automatically through the API of the service, which created certain inconveniences.
In order to avoid changing passwords in programs, the password reminder function worked in the mode of providing the original password at the request of users, which required reversible password storage in the database. Although the passwords in the database were encrypted, their decryption was still possible in case of a potential leak of the database and the encryption algorithm, which reduced the overall security of the service.
Therefore, the task of changing the work with passwords and storing them more securely has been relevant for a long time and now it has finally been completed. Now the user database stores not the passwords themselves, but their hashes (checksums), which do not allow obtaining the original password, but only serve to verify passwords during authentication.
Due to these changes, now in case of loss of the password from the personal account, there is no way to inform the user, but only the opportunity to set a new password via a special link sent to e-mail or phone from the account settings. Passwords for API and SMPP can now be stored separately in the
Additional passwords section, where you can also create additional passwords from your personal account.
The main account password specified during registration is shared and allows access to both the personal account and the API, as it was before, and additional passwords allow only the access specified in their type.
For compatibility with old client programs, passwords were automatically created in the new section of additional passwords in the form of an MD5 hash of the main password, which was previously recommended for use in the API, as well as a password for the SMPP protocol, if the client has it in the settings.
The MD5 hash is currently outdated and is no longer reliable, it can be used to find the original password by brute force in the time available to modern computers, so we recommend that you no longer use it, but create a different password in the new section to access the API. You can enter any set of characters, intercepting this password will not give potential attackers access to your personal account.
We now do not recommend using the password from your personal account in automatic programs using the API, although this option remains. If the main password is changed after registration, the system will automatically save the hash of the old password for use in the API, in case it was already registered in a program, and the user did not create a separate password for the API earlier. If the old password is not used anywhere, delete it from the list.
All these changes in the password processing service do not require mandatory actions on the part of customers, all programs and access to personal accounts continue to work, but the listed changes and recommendations will increase protection against unauthorized access. We recommend that you check the new section with passwords in your personal account and, if necessary, delete unused passwords or create new ones.all news