Monday 25th January 2016

Dear Webb-site user,

Upgrading from PIN to Password

As mentioned in today's newsletter, we are writing to you about an important change to

After 17 years of running Webb-site with only a basic plain-text voting PIN for opinion polls to deter multiple-voting, we are upgrading to a high-security login, so that in future we can offer more features to logged-in users, such as tracking a chosen list of stocks and companies. Voting in polls will also be easier, as you can choose to remain logged in for a chosen period of time.

This is the last time we will send your PIN, at the top of this email. This PIN has become your password, and we encourage you to change it as soon as possible. Click here to log in and then change your password.

New passwords or phrases must be at least 8 characters but can be as long as you want. No new passwords are stored in our system. We only store a one-way cryptographic hash of a password with added salt, using the Secure Hash Algorithm 2 designed by the NSA. In other words, we won't know your password.

All remaining PINs will be replaced with random passwords 1 week from today. If you don't choose a password by that time, or forget your password, then you can get a one-time short-duration password reset link containing a random token by e-mail from the site.

When you log in, you have the choice of staying logged in for periods ranging from 1 day up to 1 month. This is done by placing a random token in a cookie in your browser, without any identifying information. Again, we don't keep a copy of that token, only a one-way cryptographic hash of it. However, if anyone gains access to your device or browser, then of course, they will be logged in as you. If that happens (e.g. if your phone is stolen or confiscated by the PRC authorities), then log in and out from any other device and all your Webb-site cookies will become inedible.


David M. Webb