Quote: Originally posted by Todd on Jul 23, 2013
OK, so today Lottery Post had a big security upgrade. It is something I have literally been working on for months, and today I finally made the cutover to the new security system.
This upgrade was extremely important, in the following respects:
- It enforces stricter passwords that are case-sensitive, and for the security-conscious can now be up to 200 characters in length. These types of passwords are great if you use a password manager (for example, LastPass) that generates random passwords for the websites where you maintain accounts. (For the record, everyone should be using a password manager like LastPass.)
- I have gotten rid of the ability to send yourself a password reminder, and instead I have changed the "forgotten password" feature to a change password feature. That means that it is now impossible for anyone to get a hold of your password, even if they gain access to your e-mail inbox. They can still change your Lottery Post password if they have access to your inbox (and know your LP Username), but they cannot discover the password that you used.
- Most importantly, I have changed the Lottery Post server so that it uses one of the computer industry's best-possible hashing algorithms — called Bcrypt — to store password hashes. Lottery Post maintains very tight security protocols, but even if someone were to find a way to hack into the Lottery Post database and steal the entire user database, there would be no way to pull out or reconstruct the passwords. If I used an older hashing scheme to store the passwords it would be possible for a hacker to use programs to work out the passwords, but not so with the hashing in place now.
A major security upgrade like this is a very large, complex undertaking, and is a project I have been very carefully working on for months. When implementing new security, there are no second chances — everything needs to go well on the first shot. So I was probably more nervous about this upgrade than anything I have done in years.
I have never had, nor do I foresee, the Lottery Post database being hacked, but then again I'm sure most of the other companies that have suffered security breaches felt that way before the intrusion. I would rather not see Lottery Post among the Web sites that had their passwords hacked, so this upgrade was entirely a proactive move on my part.
After installing the upgrades this afternoon, many of you experienced an issue with log in failing. That's because your account was not yet converted over to the new security system. (See If you can't log in, please read this, posted today at 2:11 pm Eastern Time.) At this point all the active memberships are converted over, and the system is finishing converting the rest. It will be completely finished this evening.
The security upgrades also reach into the Chat system, and I have even beefed up the security there. As someone using Chat, you'd never know the difference, but from the system's perspective it is much, much harder for a hacker to breach or exploit.
If you are interested in learning more about password security, I'd suggest Googling password salting and hashing.
Other updates
While the new security system was the biggest upgrade, there were a number of other minor things that were included in today's upgrade.
- The VTracs Results page now separates the Illinois My3 results from the regular Pick 3 results, and the My3 VTracs history is now available by clicking on the game name on the VTracs results page.
- There is now built-in support for Windows 8.1 start screen live tiles. If you pin Lottery Post to the Windows 8.1 start screen, you will get news updates right on your start screen. I also created support and graphics for all the new tile sizes. (Windows 8.1 will be available for Window 8 users to download in the coming months. It will be a free upgrade from Microsoft.)
- The new spell checker that replaced the now-defunct Google spell checker was part of this upgrade, but I was able to install it two days ago rather than waiting until today.
- I upgraded to the latest release of jQuery, as I always try to do when performing a big upgrade. jQuery is part of the code that makes up each page, so new releases often help fix bugs and increase performance in various areas.
- I upgraded the mobile device detection to include the latest mobile devices and browsers, which helps when you browse Lottery Post uses anything other than a desktop computer.
- A ton of other minor wording changes, tweaks, etc. Many of these minor changes have been finished for a while, but sitting around waiting for today's upgrade to install. Again, many of these will go unnoticed by most people, but they improve the overall quality of the site.
I am happy and relieved to finally get this upgrade out of the way. If you experience any problems, just drop me a note and let me know.