Return to main CellarTracker site...

Password Security

Front Page | Recent Changes | Title Index | Help
Difference from prior major revision.
minor diff author diff hide diff

From its inception, CellarTracker used a very low-tech authentication 
mechanism, and users were encouraged to use a password that they wouldn't be 
afraid for an administrator to see.
  
However, effective October 27, 2011 the site now embraces industry best 
practice with regard to password handling, cookies, secure web protocols, 
password reset mechanisms etc. If you are not especially technical, you can 
probably stop reading right now. However, if you are in fact much more curious 
or have specific technical concerns or issues, the goal of this FAQ is to very 
transparently disclose our practices in this regard.
  
Please also read about PrivacyOptions for controlling who can see your cellar 
data.
  
<TableOfContents>
  
= Technical Details =
Below I will describe in more detail about web protocols (HTTP/HTTPS), SSL/TLS 
certificates, Cookies, password hashing and general password retention and 
transmission practices.
  
== HTTPS Details ==
Traditionally websites have used a secure ([http://en.wikipedia.org/wiki/HTTPS 
HTTP Secure or HTTPS]) page just for initial log-in and then resume the rest of 
the browsing session over an insecure HTTP connection. However, with the advent 
of shared, public, wireless access points, this is increasingly problematic as 
demonstrated by the public release of [http://codebutler.com/firesheep 
Firesheep]. In short, this partially secure approach makes it easy for anyone 
to steal your credentials and masquerade as you. **As such, CellarTracker has 
chosen to use HTTPS for ALL browsing for logged in users.** While this does 
induce some extra latency and server expenditures, it is the only proper way to 
truly protect your information.
  
Formerly CellarTracker used to show advertisements to guests and registered 
users who had not made a VoluntaryPayment. Unfortunately, at this time Google 
does not offer a version of AdSense that will serve ads over HTTPS without 
compromising security and generating incredibly annoying "mixed 
content" prompts in IE8 and older. In the name of security and user 
convenience, I have decided to forgo millions of ad impressions per year and 
have dropped these advertisements for all registered users. While this is a 
very expensive business decision for CellarTracker, it is simply the RIGHT 
THING to do for the community.
  
Not all SSL/TLS certificates are created equal. CellarTracker has obtained a 
Class 4 or [http://en.wikipedia.org/wiki/Extended_Validation_Certificate 
Extended Validation (EV)] certificate. You can see this with the green in the 
browser bar:
  
https://www.cellartracker.com/images/evcert.png<br>
https://www.cellartracker.com/classic/images/evcert.png<br>
<br>
  
== Cookie Details ==
As in keeping with industry best practice, authentication cookies (username and 
hashed password) generated by CellarTracker are marked as Secure, so they are 
only transported over HTTPS. The site also marks all cookies as 
[http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html 
HttpOnly] to help mitigate against Cross Site Scripting attacks in mainstream 
browsers.
  
== Password Security ==
CellarTracker no longer retains the actual text of any password. Rather your 
password is securely salted and hashed and only stored in this form. Because of 
this, passwords are now case sensitive. All formerly retained passwords have 
been deleted, and site administrators no longer have access to your actual 
password. If you do forget your password, the site allows you to send a 
temporary password reset request to your email address of record. Since 
CellarTracker is not a banking or transactional site, we do not use biometric 
questions (e.g. what is your dog's name or your mother's maiden name) to 
further guard password resets. If your email is hijacked, you likely have far 
bigger concerns than unauthorized access to your CellarTracker account. 
However, CellarTracker cannot be used as a vector to determine your password so 
that a hacker can then access your bank accounts on another website.
  
If for some reason you no longer have access to an old email address that you 
used on CellarTracker, please send email to eric@cellartracker.com with your 
old email address, your full name, the handle in use on your account, and any 
other information required to verify your identity. Assuming everything checks 
out, we will update your email address and send you a password reset request.
  
== Migration ==
Since these changes were implemented on the website, your cookies are 
automatically migrated the first time you visit the site from a given 
machine/browser. In some rare cases people have had issues with this 
transition, so the simplest workaround is to always just delete all cookies for 
**cellartracker.com** in that browser and then log back into the site.
  
= Issues & FAQ's =
== Known Issues ==
  * **WINDOWS XP**: Some older Windows XP machines claim that the StartCom 
certificate is untrusted, but this is actually an indication that your XP 
machine is VERY out of date. The solution is to install the root certificate 
update from this Microsoft Knowledgebase article: 
http://support.microsoft.com/kb/931125
  * **iPHONE/iPAD**: I have not seen reports of this, but since upgrading to 
iOS5, I have twice seen some odd behavior in Mobile Safari on my iPhone where 
Safari changes its setting from allowing cookies to Never. This prevents users 
from logging in and logging out, and breaks things like impersonation. I think 
this issue may have more to do with iOS5 than the recent CellarTracker changes 
and is just purely coincidental timing.
  * **Blackberry**: Some Blackberry models seem to have incomplete root 
certificates and prompt about Insecure SSL. You need to add the certificate on 
your Blackberry.
  * **IE9**: Shortly after we launched this upgrade to CellarTracker, some 
users and especially those in IE9, were seeing odd looping behavior when they 
tried to visit CellarTracker. All indications pointed to an obscure bug in the 
handling of secure cookies, but we were never able to reproduce the looping 
behavior. However, after some proactive code changes, there have been no 
further reports. Please see: 
https://www.cellartracker.com/forum/tm.asp?m=170759
== Frequently Asked Questions ==
  * **DOWNLOAD TO EXCEL**: Since its inception, CellarTracker has had a special 
ExcelDownload that utilizes "Excel Web Queries" to let you download 
your cellar. This requires adding your CellarTracker handle and password to the 
first tab in the spreadsheet, and then these are sent to CellarTracker with 
each web request. In this case there is no hashing of passwords, but to protect 
you password we now have an upgraded version of the web query that uses all 
HTTPS requests to protect your information. You can download that from 
https://www.cellartracker.com/webquery.xls<br>Unfortunately it has come 
to our attention that some older versions of Excel for the Macintosh seem to 
have trouble with this spreadsheet, so we still do have the older, insecure 
version hosted at 
http://www.cellartracker.com/Webquery_Insecure.xls<br>Please use this 
version with caution, since it sends your password in plain text over HTTP.
  * **API SECURITY**: Right now the CellarTracker API is predominantly used by 
the 3rd party [http://cor.kz Cor.kz] and 
[http://www.firstgrowthtech.com/cellarvu.aspx CellarVU] applications. 
CellarTracker does not currently implement [http://oauth.net/2/ OAuth 2.0] or 
some other mechanism to grant access to your CellarTracker account to these 
applications. We are certainly considering that for the future, but for now we 
have made some minor upgrades to our API so that these applications will not 
need to retain your password. There is now a Credentials API that can be passed 
a handle and password and in return receive a valid password hash. Both 
CellarVU and Cor.kz plan to use this in their next major releases. Also, the 
current/latest version of Cor.kz has already switched over to HTTPS for all 
calls to CellarTracker. If you have concerns about this, we either recommend 
not using these applications or using a special password just for 
CellarTracker, Cor.kz and CellarVU that is DIFFERENT from passwords that you 
using for banking and other transactional accounts.
  
= A Note on Credit Card Security =
This is actually a non-sequitur, but with the recent announcement of 
[http://forums.winelibrary.com/viewtopic.php?f=7&t=38503 stolen credit 
cards at Wine Library], I thought I should comment on credit card security at 
CellarTracker. I have actually made a very conscious decision from day 1 to 
NEVER store or even handle cardholder data. All voluntary payments to 
CellarTracker come via a webpage hosted at payflowlink.paypal.com as part of 
the 
[https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_gateway_payflow_link PayFlow Link] payment service. This is a 3rd party payment service originally developed by Verisign and later acquired by PayPal as part of their Merchant Division. All cardholder data that you enter is handled only by PayPal. I never have access to complete credit card details, and I don't want it. PCI compliance is a real pain in the neck, and touching credit cards is akin to playing with munitions.
  
= Conclusion =
In short, I hope you are pleased with the changes here. Please do email 
eric@cellartracker.com if you have questions, concerns or technical issues.
  
-------
CategoryFAQ

Front Page | Recent Changes | Title Index | Help
Edit this page | View other revisions
Print this page | View XML
Find page by browsing, searching or an index
Edited December 9, 2012 (hide diff)