Password Audit System and Account Security UpdateReading Time: 3 minutes
Updated on Aug. 6, 2020
The following letter has been sent to KeepSolid users whose accounts were discovered to be vulnerable by our password audit system (more about the system further in this piece):
We are immensely grateful to you for using KeepSolid services. As we promised, we’re constantly striving to improve the quality of our services and protect our clients. Currently, we are working to ensure the integrity of our customers’ passwords and the security of their accounts.
Our security system has determined that you may be using a password that can be found in the leaked password databases from other services.
To protect your account from cybercriminals, please create a new, strong password:
How do we know that without seeing your password? Thanks to our sophisticated security system! You can read more about how it works on our blog.
If you have any questions, or if you want to make sure that this is a valid letter from KeepSolid, feel free to reach us at [email protected].
Thank you for being our valued customer!
We care about your security
As a security company, KeepSolid’s overriding concern is the safety and privacy of our users. Currently, we apply username+password pairs to protect our user accounts. However, this kind of security relies heavily on our users creating strong passwords for their profiles.
As you may know, a strong password is:
- Unique to each service
- 8+ characters long
- A combination of capital and small letters, numbers, special characters
- Not a vocabulary word
This means that “123456”, “password”, or “qwerty” are weak passwords, whereas “[email protected]!29S” is a strong password.
KeepSolid account protection
To protect against brute-force attacks (online password guessing), we automatically block accounts if an attacker tries to repeatedly enter incorrect passwords. If this happens, you can easily restore access to your account via email.
KeepSolid does not store plaintext user passwords in our database. We use the PBKDF2 algorithm (a.k.a. slow one-way key derivery function) to automatically turn your password into a derived hash. The benefit of this approach is that, while it allows us to check if your password is correct and strong, it doesn’t let company employees view the password itself.
Over 6 years of our company’s operations, we have updated our password security policy more than once to keep up with the times. Still, we have never forced new requirements upon existing users until this day.
KeepSolid password audit system
To completely avoid the risk of our user accounts getting hacked, we’ve decided to be proactive and detect any potentially vulnerable accounts before they become a target. This will allow our users to timely change their passwords to stronger ones.
To this end, we’ve acquired a powerful multi-GPU system that allows us to audit user passwords without seeing the passwords themselves. This system employs a few security features to ensure complete privacy and integrity of users’ sensitive information:
- To prevent any hacking attempts, the system is not connected to the internet
- Only few key specialists have access to it
- Data is temporarily stored on a hardware-encrypted drive, and is permanently deleted once processed
- Identified weak passwords are system-bound – we only know that an account is vulnerable, but not the password itself
Using the password audit system, we have checked our user accounts for vulnerabilities, simple passwords from the top-500 used in the world, and passwords that are known to be leaked according to the publicly available services breach information. This has allowed us to determine a number of potentially vulnerable user accounts, and we’ve already contacted their owners to help make their accounts more secure.
We have other new cool features for user account security coming soon, so stay tuned for more!