Sign-In Problems and Encryption Changes -- Nov 20-23, 2014
What Happened, What We Did, What You Need To Do (GET A NEW PASSWORD)
We were notified by a SiteScan report, a GoDaddy (our website hosting sevice) resource for checking websites for malware and vulnerabilities, that the version of PHP (a programming language) we we're using had a half dozen serious vulnerabilities. Although there were no attacks on the website, our priority was to immediately upgrade the version of PHP that we were using.
Although that did eliminate those vulnerabilities, the upgrade introduced another problem that blindsided us. The newer version of PHP used a security library upon which our encryption is based, that produced encryption codes ("hashes") that were not the the same as with the library for the previous PHP version, using the same password. That means that you would not be able to sign in with your password -- the stored hash and the generated hash from the password you enter would not match.
The incompatibility was "allowed" (required?) according to GoDaddy because of their concern that the encryption algorithm we, and many others, are using also had vulnerabilities. They correctly chose to protect their customers from a vulberable encryption method knowing that would require new passwords.
Given the need to change our encryption algorithm -- and there are many! -- we chose to go with a more robust algorithm even though the weaknesses in the one we were using were resolved with the update. At the same time, we improved the method for invoking the encryption method (using dynamic "salts") for additional security.
We implemented the changes and tested them by creating test accounts, changing passwords in those test accounts, doing "negative" testing to be sure the changes did not introduce a security issue, and requesting the website to send new passwords to verify those generated by the website were processed correctly. Those tests were successful.
If you are creating an account after November 23, 2014, none of this will effect you.
For those of you with accounts established prior to November 23, 2014, the outcome of these changes is that you will need to request a new password from the website, as you will not be able to sign in with your current one. After you sign in with the password given to you by the website, you can then edit your account to change your password, even to be the same as you had previously.
To request a new password, go to the Contact Us page of the website (there's a button on the home page that opens Contact Us), enter your email address and your userID, then click the button to request the password to be sent to you by email. Although that email normally arrives quickly -- under a minute -- it's possible to take much longer. PLEASE BE PATIENT and not quickly request another password thinking the first request failed. However, if you wait for a long time and do not receive that email after three attempts, on your fourth attempt, and email will be sent to Winning Pickleball Technical Support to give you personal assistance to help you get a new password.
If you forgot your userID, contact us requesting us to send you your userID by email. And if you have any questions, use that Contact Us page to let us know so that we can help.
We sincerely apologize for the inconvenience of having to get a new password, but resolving security issues is a top priority with us.
Winning Pickleball Technical Support