We've recently upgraded our password encryption in response to a possible security issue affecting a number of accounts. Your account will be automatically upgraded to use the stronger encryption next time you log in. If you usually stay logged in all the time, please log out and then back in to ensure your account is upgraded.
What was the issue?
We maintain a virtual development environment which coders who want to work on the Archive can download: this is a copy of everything needed to run the Archive so that our coders can easily develop and test. This comes with a partial copy of Archive data, so that coders can see how changes in the code will affect the site, with identifying information such as email addresses stripped out. However, we were alerted to the fact that the way we previously encrypted passwords meant someone with access to this data could theoretically use it to figure out passwords associated with some accounts.
Our new encryption system will make it much harder for anyone who accesses our data in any way to guess passwords. In addition, we will review how we put together the sample data we use for development. Only known coders have accessed the old data (we keep a record of downloads) and we have no reason to think that users' accounts were compromised. However, account security is a priority and we're asking our users to change their passwords as a precautionary measure.
How to change your password
Affected account holders will shortly receive an email with a link to the "Change My Password" page. To change your password without the link:
- Log into your account with your current password.
- Visit your Profile.
- Follow the "Edit My Profile" link at the bottom of the page.
- Follow the "Change Password" link at the top.
We strongly recommend you pick at least a combination of letters and numbers, and avoid easily guessable passwords like 'password' or '123456'. You may wish to use a service like How Secure is my Password? to help you create a strong password.