mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_maintenance2020-04-25 10:14 am
  • Add Memory
  • Share This Entry

Code push - tomorrow (April 26th, 2020) at ~1PM Pacific / 2000 UTC

This is a codepush announcement.

Tomorrow around 1PM Pacific / 2000 UTC, we will be updating Dreamwidth to the latest committed code. The short summary of the main changes:

  • We continue to iterate on the Quick Reply form, improving its usability/consistency across all platforms and cleaning up the hideously bad code that used to live under it. This particular update includes the feedback from the last update, so many of your thoughts/suggestions have been incorporated!

  • A number of improvements in how we render things for mobile devices. Not all of these will be immediately live, but stay tuned to [site community profile] dw_beta if you'd like to turn them on and give us feedback.

  • Improvements to Markdown rendering (in particular, the code that turns \@mark into [staff profile] mark should do it more correctly/in fewer places).

  • Finally, major changes to how we store passwords in our database (we won't anymore). This will break Semagic and other clients, but there is a workaround: Please see the workaround at the bottom of this post.

For more details, see the relevant posts in [site community profile] dw_dev:

We'll update this community and our [twitter.com profile] dreamwidth as we push code out, as per usual. See you then!

Flat | Top-Level Comments Only
zhiva: (Default)

[personal profile] zhiva 2020-04-26 03:06 am (UTC)(link)
> Finally, major changes to how we store passwords in our database (we won't anymore).

This sounds like you stored them in plain text previously.
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2020-04-26 03:53 am (UTC)(link)
Yes, that's correct.

For historical context, this is how LiveJournal (which we're a fork of) stored passwords (and presumably still does, since they still support MD5 hash based logins, which would require them to have the raw password I imagine).

We are now modernizing this part of the codebase to be in line with modern best practices, which of course results in breaking some things (hence needing migration steps for Semagic users).
madfilkentist: My cat Florestan (gray shorthair) (Default)

[personal profile] madfilkentist 2020-04-26 10:02 am (UTC)(link)
That would explain why everyone who was on LiveJournal for many years got an email saying "I caught you watching porn" and sending their LiveJournal password as "proof." If only irreversible hashes are stored, or the authentication system otherwise avoids storing passwords or anything that can be turned back into the password, this can't happen even if the database is breached.

Fixing that was long overdue, but I'm glad it's being fixed.
Flat | Top-Level Comments Only