While we are busy getting the next issue ready, we’ve made a few changes behind the scenes.
Subscriber issue list
The first is for subscribers. Now when you log into your account, the list you see at the bottom of the page includes the issue numbers for each year of your subscription. It now looks something like this:
Each year of your subscription shows the issues of that year. You can now quickly see in which year a particular issue is.
Subscriber Viewer
A month ago we updated the viewer for subscribers to read their issues online, another behind the scenes change. For many years we used an ancient version of the Mozilla/pdf.js viewer. But in late May security analysts discovered a vulnerability in all but the latest version of that viewer. In early June we replaced it with the most recent version of the Mozilla/pdf.js viewer.
Yesterday a new version of this viewer was released, version 4.4.168, and as of this morning, that is the version we are using.
One handy feature is that when subscribers read an issue online, up in the upper right hand corner of the viewer there are print and save buttons. So you can easily print or save the issue you are reading:
After updating the viewer twice in a month span, we know how to update this easily. We plan on using the latest version from now on.
Argon2id Password Hashes
And a significant behind the scenes change is how we store passwords on the site. Actually, websites like ours never store passwords. What we do is run your passwords through complex algorithms that create a hash of your password. They end up looking something like this: $P$BZ.KrDn8CnJs93KpiDmomqOk/H9TBt.
From the hash, it is impossible to reverse the calculation and see the original password. And the way they work is that every time you log in, we generate a hash from the password you entered. If the hash matches the hash we have for you, we know you entered the password correctly.
But websites don’t just hash the password once. They take the hash and hash that. And then hash that. Hundreds and sometimes thousands of times. And hash algorithms generate different hashes even if two people use the same password.
Last week we changed how we hash passwords. This is happening transparently, behind the scenes. If your hash is still the old type, after you log in, we update your hash to the new type.
And why did we do this? To make the password hashes on our site as impossible as possible to crack. With the old type of hash technique, if hackers were ever able to get the password hashes, they could run thousands and millions of processes simultaneously to see if they can find a password that creates the same hash.
But the new way we hash passwords, using a hashing technique called Argon2id, a single attempt to generate a hash requires 128 megabytes of ram. A hacker quickly runs out of ram trying to generate hashes with Argon2id.
It is also why having long passwords makes it impossible for hackers to crack a password. On our website, we accept 91 different characters in passwords. Which means that if you use a 16 letter password, there are 7.1311403662e54 possible combinations. Or a number this large: 7,131,140,366,200,000,000,000,000,000,000,000,000,000,000,000,000,000,000.
Trying to run through every possible password that will create the same hash would take so many years that the sun will expand and swallow the earth before a hacker is even partly done.
And we are off to creating another stimulating issue for you for Saturday, July 6.