If you are a registered user on SCAtoday.net, and have a personal account, we need you to do the following very simple steps as soon as possible:
- Go to the SCAtoday.net home page, http://scatoday.net/ . Look at the place in the upper-right column where the login/logout form appears.
- If there is a form there asking for your login name and password, please login. Congratulations, you're done! (Told you it would only take a minute.)
- If instead of the login form, you see a message telling you that you already are logged in, then please logout, then log back in again. Congratulations, you're done!
- If you had told SCAtoday.net to "enable automatic login" using cookies, then after you do Step 3 you will need to re-enable that feature. Go to http://scatoday.net/profile.php and click on the "enable automatic login" button near the bottom of the screen.
If you do not have a personal account on SCAtoday.net, then these instructions do not apply to you.
Registered users only need to do the above steps one time. You don't have to repeate it each time you login.
If you need any technical assistance, please email firstname.lastname@example.org and we'll help you out. Thank you very much for your assistance, and we apologize for this minor inconvenience.
If you're not interested in why we are requesting this, then you can stop here. :-)
For those interested, here are the technical details...
We are almost ready to install a very significant update to the software that runs the SCAtoday.net web site, and when we do this, the database table that stores information about people's personal accounts will change to a new format.
In the original version of the software, we took extra pains with security to encrypt everyone's password in the database so that no one, not even our system administrator, could retrieve it (it's called "one-way encryption", or "secure hashing"). There is a mathematical algorithm called a "hash" that allows one to transform a text string password into a string of binary numbers that look like complete gibberish to a human being. The algorithm is specially designed so that it is very simple to go from "secret" to "5ebe2294ecd0e0f08eab7690d2a6ee69" (and yes, that actually is the real thing!), but extremely difficult to go the other direction. A supercomputer would take months to decipher a password mathematically from the binary string.
When you signed up for your account and chose your password, our software encrypted it and then stored only the binary version in the database. Each time you login, you re-enter your password, and we encrypt the one you enter using the same mathematical algorithm. If the two binary numbers match, then we know that the password you entered matches the one that you chose when you created the account, even though we couldn't extract that original password from the database.
Now, here's the problem: The encryption is quite secure, so secure that as we move the data to our new database table, even we have no way of recovering your actual password so that we can store it in the new database. Our only alternatives are either to obtain the password from you, since you are the only one who actually has the real password and not just the binary number, or we would have to randomly assign you a new password and mail it to you.
What we have done is to add a temporary internal feature to our software, so that when you login this one time, we will actually record your password without the encryption, so that we can move it to the new database. Anyone who logs in now will have their password recorded in our database so that we can move it; unfortunately, the others who don't do this before we switch to the new software will have to get a new random password and then they'll have to change it themselves on the new system.
Even though your password is stored in our database, rest assured that the database itself is quite secure. We use MySQL, a recognized, industry-standard database that is trusted by thousands of corporations for credit card data, scientific research data, and millions of other things that are much more sensitive than anything you'll find on SCAtoday.net. Only two people (our system administrators) have the passwords for MySQL. Remember also that this is only temporary, for a few days during the migration.
One important safety tip: Neither SCAtoday.net nor any other reputable site will ever ask you to email your password to a system administrator. Please do not email your password to our webmaster. If anyone sends you an email claiming to be an SCAtoday.net staff member, and they ask for your password, do not belive it, because it would be a forgery. We hope no one will stoop so low in the SCA community, but if you find someone trying this trick, please forward the email to us so that we can take appropriate action.
Again, we apologize for the inconvenience, and we are confident that the new features of our updated software will be worth the extra effort of one manual login.
If you have comments or technical questions about the system, please send an email to email@example.com or post a comment to this story.