Saturday, May 5, 2018

Security of passwords

Thanks to Twitter, I had to spend about an hour yesterday changing various similar passwords on a whole slew of sites. While a pain in the neck, probably wasn't a bad thing for me to do.

You may wonder if MyFlightbook suffers the same problem. The answer is "no."

I'll get into some more technical details at this point, so everything that follows is really only interesting if you care about such arcana.

Like Twitter (and industry standard), passwords on MyFlightbook are "hashed" before being saved into the database. That is, a one-way encryption operation is performed, which is mathematically non-reversible.  (Generally this involves "salting", which adds data to the password, and other one-way mathematical functions from which you can't derive the inputs given the output.  In MyFlightbook's case, I use the HMAC SHA1 hash.) 

The result of this operation is what's stored in the database; your password is NOT recorded anywhere on the website.  This is why if you lose your password, I can reset it for you, but I cannot recover it for you.

When you sign in, I perform the same operation on the password that you provide and compare the result from that with what's in the database to see if it's a match. Twitter's bug was that they logged the password in a file somewhere before doing the hash; MyFlightbook doesn't ever store this.

The mobile apps (iOS and Android) are slightly different in that they do keep your password on the device; they do this in order to periodically re-authenticate on your behalf, or to sign-in to the website.  On these devices, however, the operating system provides a secure/encrypted "sandbox" in which the app plays.  In other words, if somebody had a hack that could penetrate into the sandbox, then access your MyFlightbook password would be the least of your problems.

For most operations, the mobile apps do not need to send the password to the server.  Instead, when you authenticate, they provide your email/password to the server, which then sends back a "token" that says "you're authenticated."  Subsequent operations like uploading flights or retrieving totals then pass that token to the server, which accepts it as proof of identity.  The apps periodically refresh their tokens.

It's important to note that ALL communication that includes a password is always over a secure channel (https), whether this is using the web site or a mobile app.  This ensures that your password cannot be sniffed.

There are some places where the mobile apps need to send you to the website, and must authenticate you in doing so.  In these cases, it passes your email and password to the website over a secure channel, which then redirects you (removing the password) to the requested page.  For example, if you are using the mobile app and want to view your progress towards a given rating, the app will pass your email and password to the website, which will authenticate you and then switch over to the Ratings Progress page, stripping your email/password.  All of this is over https, so stripping it is unnecessary to avoid snooping, but stripping it also means that it won't be exposed in the URL of the page being viewed.

Friday, May 4, 2018

Change to commercial checkrides

The FAA has removed the requirement that applicants for a commercial rating provide a complex or turbine aircraft for their checkride.

Lots of good commentary on this elsewhere on the web, but I'll focus on its implications for MyFlightbook here.

MyFlightbook has never enforced this requirement on the checkride itself.  It simply assumes that if you marked the flight as having been a commercial checkride, that in fact it was and that you passed.  (If you managed to do so without having a complex aircraft prior to this rule change, then your DPE probably should no longer be allowed to conduct checkrides!).

The main place where this affects MyFlightbook is in your progress towards your commercial rating.  Specifically, 61.129(a/b)(3)(ii) requires 10 hours of complex (or turbine) training.  MyFlightbook does enforce this in computing your progress.

The removal of the checkride requirement explicitly states that "there is no change ... to the commercial pilot aeronautical experience requirements of § 61.129(a)(3)(ii) or part 141 appendix D." 

This is interesting because it only slightly reduces the cost burden to getting a commercial rating - instead of 10hrs + checkride in a complex aircraft, you now only need 10hrs, which, if access is to the aircraft is a challenge is also only marginally easier.

But from a logbook perspective, it means that there is essentially no change.  You still need the 10 hours of complex/turbine training, and MyFlightbook will still look for it.