Enhanced Password Security Measures at WhoAPI

WhoAPI is committed to ensuring the highest standards of digital security for our users. We understand that a robust password policy is pivotal in safeguarding sensitive data and maintaining the integrity of our services. Hence, we are excited to announce the implementation of our new password procedures, aligned with the IA 5.1 Password-based Authentication guidelines.

Revamped Password Requirements:

Our updated password protocol introduces enhanced security measures meticulously designed to fortify user accounts against unauthorized access. The key features of our new policy include:

1. Length Requirements:
   • Privileged Accounts (Admins of SaaS Platform): A minimum of 15 characters.
2. Complexity Criteria: Each password must contain a blend of uppercase and lowercase letters, alongside numerals, to fortify the passphrase against brute-force attacks.
3. Password Lifecycle Management:
   • Password Age: We enforce a password age ranging from a minimum of 1 day to a maximum of 365 days. After which a change will be mandated.
   • History Constraint: To combat password recycling, we prohibit the reuse of the last 10 passwords.
   • Recommending against Dictionary Words: We haven’t barred common dictionary words, but we recommend that our users avoid them. We have users around the world, so this would mean forbidding dictionary words in two-dozen languages.
4. Initial Logins: Users will be forced to create a unique password for their first login, adhering to our stringent passphrase requirements.
5. Cryptographic Protection:
   • Storage & Transmission: All passwords are stored and transmitted in a cryptographically secure manner, shielding them from interception and unauthorized access.
   • Salted Hashes: Wherever technically viable, passwords are salted prior to hashing, adding an additional layer of security against hash-cracking techniques.

What is salted hashing?

“Salted hashing” is a security measure used to enhance the protection of stored passwords. Here’s how it works:

1. Hashing: Hashing is a process that converts a password or any data into a fixed-size string of characters, which is typically a sequence of numbers generated by a hash function. The key property of a hash function is that it is virtually impossible to reverse: given a hash value, it is computationally infeasible to find the original input, in this case, the password.
2. Salting: A “salt” is a random string of data that is used as an additional input to the hash function when creating the hash of a password.
3. The Salted Hash Process:
   • When a user creates a password, the system generates a random salt.
   • This salt is then combined with the password to create a salted password.
   • The salted password is then passed through the hash function, producing a salted hash.
   • Both the salt and the salted hash are stored in the database.
4. Verification: When a user logs in, the system retrieves the salt associated with the user’s account, combines it with the provided password, and hashes this combination. If the resulting hash matches the stored salted hash, the password is considered verified.
5. Security Enhancement: By adding a unique salt to each password, even if two users have the same password, their salted hashes will be different. This greatly increases security because it defends against certain types of attacks such as:
   • Rainbow Table Attacks: Precomputed tables of hash values for every possible password are rendered ineffective because the attacker would need to compute a table for each possible salt as well.
   • Dictionary Attacks: Trying common words or phrases against password hashes is more difficult because the attacker must guess the correct combination of the password and the salt.
   • Brute Force Attacks: The computational load is increased, as the hash calculation must now include the salt.

Salting is a best practice for secure password storage and is part of a robust security strategy. It ensures that even if an attacker gains access to the stored hashes, deciphering the original passwords becomes significantly more difficult.

Single Sign-On (SSO) for Enterprise Clients:

In addition to the aforementioned enhancements, WhoAPI proudly offers Single Sign-On (SSO) capabilities to our enterprise clients. SSO is a user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. This not only streamlines the login process, reducing password fatigue, but also significantly diminishes the risk of password-related breaches.

With these rigorous security protocols in place, WhoAPI continues to be at the forefront of digital security, ensuring that our users’ data remains protected and their digital experience, seamless. We are dedicated to providing a secure, user-friendly platform, and these changes mark a significant leap forward in our relentless pursuit of excellence in cybersecurity.

How do I update my WhoAPI password?

When you are logged in, open the Account section.

https://my.whoapi.com/account

Scroll down to the “Password Change”. Clicking on the “New Password” bar will trigger the password strength and requirement check – pictured below.

Additional Security Measures

Whitelist IP Address
I would also like to remind our users that they can whitelist the IP address from where they are making API requests. That ensures that our system recognizes only their API requests. Available in the API IP whitelist once you are logged in.

Change API Key
We also recommend changing the API key. You can do this by clicking the button “Generate” next to your current API key. This is visible throughout the Console once you are logged in.