![]()
Standard notes windows full#After making some small refactors to our Redis usage to better handle a large amount of entries, our server congestion issues were immediately remedied, and we are back to full health. We identified an area of our usage of Redis where we had used the SCAN command for searching instead of a constant-time lookup method. The number of these entries had ballooned due to a sudden increase of lockout entries for emails that didn't exist. Standard notes windows password#This prevents outsiders from attempting to make password guesses without having the correct 2FA token.īack to the server incident-our account lockout entries were stored in temporary cache in Redis. Standard notes windows verification#We take this a step further and do not allow password verification without the correct 2FA token first. In addition, some services only ask for 2FA only after your password is correctly verified. For the case of account locking, we lockout all email addresses after a certain number of invalid logins, regardless of whether the email represents a real account or not.įor 2FA existence leaks, we present a decoy 2FA prompt randomly (but deterministically) for any email address, regardless of whether the account exists or not. Our servers protect against both scenarios and do not allow account-existence leaks. If on a sign-in attempt you are prompted for 2FA, this is also an indication the account exists. If account locks are only applied to real accounts, this informs the spammer that if after signing in too many times they get a lockout error, then the account does indeed exist. One is an account lock after too many attempts. But there are two tell-tale signs that can sometimes leak out of these endpoints. Typically, a service will just return "invalid email or password" during a login attempt to disguise whether the account actually exists or not. The spammer in this case will have wasted a tremendous amount of resources only to gather nothing-we're well protected against these kinds of scenarios. Done with many emails, this can allow spammers to compile a list of registered users with a service. A spammer might issue hundreds of thousands of requests against our login endpoint, each time with a different email, in an attempt to determine whether a particular email is registered with us. We tracked down the cause as a ballooning of the number of entries in our Redis cache, caused by what we believe to be an information-seeking spam operation on our login endpoint. We've resolved the issue we wrote about yesterday, where server performance had been degraded over the past few days. ![]() If you change your mind, you can undo this by going into Preferences > General > Defaults > Switch to Classic Mobile Experience. You can begin participating in the early preview now by going into your mobile app Settings > New Mobile Experience > Opt In. We're still putting on the finishing touches, which we hope will take weeks, but can take longer. Standard notes windows update#The new mobile experience will come as a normal update to your existing mobile app installation, and should otherwise be seamless. There's many features we'd like to build, like starring, linking, notebooks, and tagging files, but having to build it once for web then duplicating that effort for mobile is prohibitively inefficient, especially for a smaller team like ours. The unification of our web, desktop, and mobile codebase into one fulfills our long-time goal of building new features by writing them once. Its feature parity with web is also 100%, compared to around 60% with the previous mobile experience. We've been using the new mobile experience on our internal devices, and can full-heartedly say it's a dramatic improvement over the previous version, and is a joy to use. We're pleased to announce we're in the final stages of our new mobile experience, which centers around offering the web and desktop application you've come to love optimized for smaller screens. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |