I see that when I log into Kickstarter, there's a banner that recommends changing my password. That's pretty good, but why not take it a step further by invalidating all the passwords and forcing a password change when someone logs in?
Possibly because that's quite user-hostile? I may not be in a position to generate a new password and save it on a given arbitrary login to the site.
Fundamentally, this isn't a high-risk situation. If the password controlled something vital, then sure, force the reset on everyone. But what's the worst someone can do with my Kickstarter credentials? They certainly can't spend any of my money, that requires my Amazon password as well.
Also, they say that "For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards."
Isn't that the information that resulted in Amazon and Apple accounts being compromised last year? Perhaps those two have fixed their procedures to prevent that from happening again, but other companies may not have been pro-active. And even if proper procedures are in place, all it takes is one little screw-up.
Thanks for sharing. Curious: at the time of conversion, why not run everything through bcrypt, rather than keeping a dual system? (This way, the old passwords get validated with ->SHA1->digest->bcrypt, and the new passwords get validated with ->bcrypt, but either way everything in the system is bcrypted.)
My guess is that it was a CPU cost decision but I'm curious anyway.
My guess is to avoid asking every user to change their password. From a UX perspective, it's not a nice thing to ask. This has nothing to do with security, where I agree that having one system is certainly better.
Nobody would have to change their password, the suggested change would only affect Kickstarter's internals. You'd still have two different systems in place like in the solution that was actually implemented, but both of them would contain a 'brcypt'.
I wanted to know this too, just because I was curious whether my password was bcrypted. But if they're in the middle of remediating problems, I don't want to know so much that I'd ask them to go look something up.
That makes sense. Wikipedia says "The primary function of salts is to defend against dictionary attacks and pre-computed rainbow table attacks." So, I guess I was thinking that if salts were stored separately, then that would help on the dictionary angle.