Nobody wants the security of their online data to be compromised. Unfortunately, high-profile data breaches of large and trusted companies are not uncommon. As recently as last year, popular sites like Facebook and Quora both experienced major security breaches. These breaches can jeopardize the safety of your email addresses, passwords, and any other information you may have stored within a particular profile. Some customers created their SuperSaaS account years ago, and are still using the same password on SuperSaaS as they do on another website. There are two ways in which we try to defend against hackers trying to use these lists to gain access.
We prevent high-volume password input, but that doesn’t fully protect
First of all, we have a system set up to detect anyone testing out a large number of passwords at once. Those IP addresses get blocked automatically and our monitoring software alerts us. However, this type of monitoring is not fully effective because hackers can employ a large number of IP addresses and test a few passwords from each one.
We verify your password against a list of known compromised passwords
As a second line of defense we take the lists of compromised accounts that are available online from security research firms, and check if any of our customers appear on it. On the site Have i been pwned? you can check if your account appears on the list. If we do find a matching password we check if the corresponding email address appears on that list as well, and we reset the password if both appear.
We can check your password without actually knowing what it is
It’s important to note that we do not need to send your password to anyone else for this verification, in fact your password never leaves our servers. Instead we use a mathematical fingerprint of your password, a so-called a cryptographic hash, and check if that hash appears on the list. The fingerprints are kept secure in a separate list that does not leave our office, although by themselves the fingerprints are harmless, they cannot be reconstructed back into a password. This way nobody needs to handle the actual passwords directly, and we will not even know what password you used if we find a match on the list. All we would know is that it’s on a list of compromised passwords and that it would be a good idea to reset it.
We reset the passwords that we find on the list
If the hash of your password is in fact found on the list of hashed passwords we delete your password as a precaution. The next time you attempt to log in you will be forwarded to the “lost password” screen so you can email yourself a password reset link.
To be clear, this does not mean your account has been compromised. It just means that we reset your password for you as a precaution to prevent it being compromised in the future. We feel the mild annoyance of a password that has been erased outweighs the huge trouble of a breached account.
We aim to repeat this testing process at regular intervals, for example if another large breach occurs and new lists appear online. We rarely talk about our security, because as long as we’re doing our job there should be little to communicate. This is one of the few visible ways that we are attempting to provide a secure experience when you’re using SuperSaaS. Rest assured that, as a team, we are working hard behind the scenes on cybersecurity every day.