This post may be a bit geeky, but we wanted to explain what Nowcado (get it for Android or iOS) is doing in the background when you sign up so you know how secure this process really is. Note that all transactions with the Nowcado server are performed over a secure, encrypted SSL connection.
- A user sends account details (email, username, and password) to the Nowcado servers.
- Nowcado creates a provisional account in the database. The password is uniquely salted via a 1 way hash and peppered (e.g. the password in the database might look a long nonsensical string of characters that is mathematically impossible to reverse, and that same password for a different user would be a different string). No trace of the password is seen in any server logs or the database itself. Until the user confirms the account, it cannot be used to sign in.
- Nowcado sends an email to the user to confirm his or her identity.
- The user confirms his or her identity by clicking the email confirmation link.
- Nowcado marks the account as confirmed, allowing the user to sign in.
- The user signs in.
- Nowcado responds with credentials (not your password!) that are used by your device on subsequent requests. This is secure because you are using an authentication token which has no correlation to your password (salted or otherwise), and there is logic which can lock down your account if hijacking attempts are detected using fake tokens.
As you can see, you must do a lot here to confirm you are who you claim to be. Stay tuned for tomorrow where we walk you through the Facebook sign in process that eliminates those steps!