We took a couple of steps last week to make your Sparkle account securer than ever. Although we've never had a security problem, you can't be too careful these days. So we always keep Sparkle as secure as possible.
We now encrypt all communications between your browser and the Sparkle servers, which means nobody can eavesdrop on your activity or hijack your account. We use 2048-bit SSL, the same technology used by banks when you bank online.
You don't have to do anything to take advantage of this: it's already in effect. Depending on your browser, you should see a small padlock or green 'https' in the address bar.
Hacking into an account this way ("HTTP session hijacking") used to be rare because it was difficult to do. Now, though, it's quite common because recent tools have made it easy. Sparkle is now immune to this attack.
Passwords never sent by email
Sparkle has never stored passwords in plain text. However if you signed up for Sparkle before last week, Sparkle would have included your password in the 'Welcome To Sparkle' email it sent you. Similarly if you were adding one of your collleagues to Sparkle, you would have had to choose a username and password for them — and these would have been emailed to your colleague so they could sign in.
There were two problems with this: email is not encrypted so passwords could potentially have been seen by somebody else (N.B. I'm not aware of this ever happening); and it's a bit silly for you to have to choose a username and password for somebody else!
Now if you sign up for Sparkle, your password will not be included in the Welcome email. If you forget it, you can easily reset it from the sign-in page.
And when you add a colleague to Sparkle, you no longer need to choose a username and password for them. Sparkle will send them an email with a link to a page where they can choose these for themselves.
Our top priority
We take security seriously. No system is ever perfectly secure, but these two changes significantly increase the security of your Sparkle account.
If you have any questions at all, please get in touch.