User blog:TimmyQuivy/Introducing Fandom Auth - Our New Secure Login Service

The software platform Fandom runs on is constantly evolving in ways both noticeable and unnoticeable to our users. If you’ve been following the Staff Blog for the last few years, you of course are familiar with the Unified Community Platform and then the following front-end refresh for the FandomDesktop experience. Just last month we announced our plans for upgrading MediaWiki to 1.37. These are all changes that directly impact how you write on and design your communities.

Other changes are more subtle, more invisible. But these are just as important and valuable to our user base, even if you never see a single difference. The internet as a whole is continuing to evolve rapidly as a bunch of memes about the metaverse indicate, and unfortunately that means new vulnerabilities and exploits are discovered by the internet’s shadier characters.

So today, I’m going to walk you through one of these largely invisible changes we’re making, one that puts your account security first and foremost. This project is called Fandom Auth and is a series of major backend improvements along with some frontend tweaks tied together to create one unified, secure login and password system for all of Fandom’s properties.

Fandom Auth will be rolling out to our entire user base in the coming weeks. We have tested it out for nearly a year and when your account is switched over to use this system you won’t notice the difference in your day-to-day editing. The goal is to let you log in/out as quickly and easily as you always have.

There are some minor changes that will affect you when you want to change how and what you log in with, so let’s dive into the details of what you may see differently if you go looking for it and why they are changing the way they are.

Hash Changes
Many of you are aware that when you enter a password when you register for a site, the website isn’t storing your plaintext password in its login database. Some websites have done that, and … uh, … that’s a bad idea.

What reputable websites do is run your password through a hashing function and then save the resulting output, called a hash. Hash functions are a little hard to put in plain language, but imagine a computer tool that produces the world’s coolest and hardest-to-crack secret code. You’d need like — 100 decoder rings (and a few horcruxes) to figure it out on your own. Once a password is hashed, it should be impossible for anyone to figure it out, even if they are the hash-slinging slasher.

So most websites, including ours, hashes the password you put in and then checks to see if the resulting hash matches what we stored when you registered or last changed it. If the hashes match, you’re logged in.

As part of this project, we are removing any legacy hash in our database that is not compatible with the current industry standards. That means if you haven’t changed your password since 2011 or so, change it now. Or else you’re going to only be able to reset your password via email next time you try to log in.

Hashes are incredibly secure. Here’s a hash generated in Sha512, one of three methods we hash your information before saving it in our login databases.

Say that ten times fast (or even once). Know what the original plaintext password was? I’ll wait and let you figure it out.

(... still waiting …)

(... still waiting …)

Okay, now that you’ve given up, the original password was “Be Sure To Drink Your Ovaltine” Even if you were able to reverse decode that hash, it does not mean you can use that hash to guess similar passwords. If I simply add an exclamation mark to the end of that original password, the hash changes all the way to:

As I mentioned above, we use three separate methods to hash and encrypt your password before we save it - SHA512, BCrypt, and AES256. So even if one of these methods were to be cracked by someone in the future, it would not put your account at risk should a bad actor get access to the password database (which we’re obviously working to prevent as well).

Has You Been Pwned
Also changing is that when you try to create a new password, we will check your username/password combo with an open-source database called HaveIBeenPwned and, if that combination has been hacked already, we’ll let you know and not let you use that password here on Fandom. So we’re keeping you secure on Fandom and giving you a big hint to go change your passwords elsewhere.

New Login & Password Settings Page
Additionally, if you ever need to change anything related to how you login, you’re going to be directed to a new landing page. Previously, you stayed on the wiki using Special pages to do something like change your password, but that’s not the most secure way to do these sorts of changes in the modern internet. This new page is the frontend of what’s called a microservice, a narrowly-focused tool that allows us to rapidly and easily tie in the most modern security encryptions. So instead, you’ll be redirected to a different URL - it will still have fandom.com in the URL to let you know you’re on a legit page - where you can change your password before you’ll get redirected back to the normal Preferences page.

This page will be used any time you:

Connect/Disconnect with an external service like Google Login Change your email address associated with your account Change password

This is also the same landing page we have been using for registration and signin for a while, which was built with all sort of security protections in mind, such as transmitting information in fully-encrypted HTTPS and preventing cross-site request forgeries (CSRF).

Other Things To Know

 * We are changing the maximum session length to 6 months. That means even if you have your browser set to “remember” your credentials, after 6 months you’ll be asked to log in again. Also, once your account is switched over to Fandom Auth, you’ll have to reauthenticate - that is to say you will have to log in again, no matter how recently you just did.
 * We are adding Apple Login as a method of logging in, adding to the already existing third-party login services: Google, Facebook, and Twitch.
 * Long-term we envision using this login system for all of Fandom’s properties, not just our wiki communities, but for now those login systems will remain separate while we do other groundwork.