The following updates to Synergy Cloud will be made at 8:30pm pacific this evening (29-Oct-2015).Enhanced API Key Encryption:This update vastly improves password and API security. According to security best practices, passwords are not stored on our servers (and never were). Instead only the cryptographic fingerprint ("hash") of a password is stored. When a user logs in, the hash of the attempted password is calculated and then compared to what is stored on our server. To discover the password, an attacker can try to hash many different passwords to find those that match hashes stored on our servers.
To thwart this type of brute force search, we do not use a simple one-step hash. Instead, our new system stores the a hash of the password using a large number of cycles of a very computationally expensive hash, made more secure with a large 256 bit random salt. To get a sense of how long a 256 bit salt is, an example would be bb5d3f9c0e396c3f8884f24ec43a16a31e6139e4e10d44512c261fc305df427f.
These security measures mean that an attacker must have a prohibitive amount of computing resources to "crack" any passwords that may be exposed if our database server, hosted by a third party, is compromised.
We use similar technology to protect API keys. We do not store the actual API key on our servers. Instead we store the encrypted version, using AES encryption, which is one of the strongest encryption algorithms available. We also do not store the decryption keys to the encrypted API keys anywhere. When a user logs in, the decryption key is generated dynamically from the user's password, using a key derivation method similar to the method we use to create the password hashes for login. Are the password hashes and API decryption keys the same? No. Just the method to generate them are similar in that they are created using numerous rounds of strong cryptographic hashing with a random salt. The random salts are different.
Finally, the salts are stored and the hashing is performed on a server remote from our database server, meaning that even if an attacker recovers the password hashes and encrypted API keys, they will still have to compromise the remote server to learn the hashing algorithm and salts. But, even in the highly unlikely event that they compromise both servers, discovering the hashes, encrypted keys, salts, and hashing algorithms, they will still be stifled by the need to brute force passwords under the burden of our very computationally expensive hashing system.
Please Note: Due to the change in the way API keys are being stored, when you log in to your account after the update you will need to re-add the keys from the exchanges you wish to use. To ensure maximum security, please generate and use new keys.
Google Two Factor AuthenticationGoogle Two Factor Authentication will be added to the site in order to increase your account security. Please visit your account settings to activate as soon as possible.
We encourage ALL users to activate 2FA in order to better protect your account.Automated Calculation and Updating of SNRG Burning Price:The SNRG burn rate will now be updated daily based on market indicators. This will allow us to automatically maintain a consistent rate for using the sites services without having to do daily, manual calculations. This will mark the end of the introductory burn rate of 3 SNRG/day.
Enabling of Automated System Email:Automated email functionality has been added in order to allow users to be able to utilize the Password Reset functionality should it be needed. Users will now also be required to confirm their email address prior to using the sites functionality. This will allow us to ensure users will have access to reset their password and additional site functionality that will be added in the future.
As always, please feel free to let myself or Grandpa Jones know if you have any questions. We'll be available in the Slack channel tonight during the release to keep an eye on things and make sure the release goes as smoothly as possible for our users.
-nextgen
