Laridian Account Security Updates

We don’t talk much about security issues at our website for obvious reasons – any information we provide could inform a hacker and provide them a shortcut to circumventing security on our site. We’ve recently made some changes that we want you to be aware of for a couple of reasons: First, the changes are comprehensive and as a result, could affect you in ways we haven’t anticipated. Second, we want to reassure you that your information is and always has been secure.

Let’s take that last point first: Laridian doesn’t store your PayPal username or password, nor do we store your credit card number on our servers. When you make a payment, you are interacting directly with either PayPal or our payment processor, Authorize.Net. Your financial information does not even pass through our server on its way to those companies. So we have no opportunity to store it even if we wanted to.

This is important. It means that your financial information isn’t here, even if someone did break in looking for it. It is being handled by companies that are significantly more sophisticated and more security-conscious than we are. The data breaches you read about don’t generally happen at banks and credit card processors. They are almost always the result of a retail store or online shopping site with lax security. Laridian avoids these attacks by simply not being in possession of any of that information.

The first point, that the changes are extensive and at least in some small degree affect all users, is addressed below.

What Changed

The changes we’ve made are fairly comprehensive and as a result it’s possible that you’ll have trouble signing into your account if you have inadvertently been taking advantage of a shortcoming in our previous account security methods.

Prior to about January 4, 2020, your Laridian account password was stored in our database in plain text. That’s a little unusual (and arguably unsafe), but it’s the result of the fact that our original website and database implementation was done by an outside company over 20 years ago when security standards for the Internet were very different. While standards have changed, making changes to security protocols while allowing thousands of users acquired over more than 20 years to continue to access their accounts is very challenging. So addressing this issue is something we have avoided for a long time.

Even though passwords were stored in plain text, they were (and are) encrypted when transmitted from PocketBible, and the database itself is behind a firewall. The encryption makes it unlikely that someone could grab your password by monitoring your Internet traffic, and the firewall isolates the database from the Web. Both the database and the server it is hosted on require secure account login, so it would be relatively difficult for someone to access it and view user passwords. Since we weren’t protecting any financial information, we weren’t strongly motivated to make this change.

There were three main problems in the old implementation:

  1. Passwords used to be case insensitive. If your password was PASSword, you could log in with password, Password, or PaSsWoRd. This was apparently caused by the original programmer not understanding that the database was configured to do case-insensitive searches. When we discovered it later, we already had users who were inadvertently taking advantage of this misbehavior, so it became at least difficult, if not impossible, to easily change.
  2. We used to truncate all passwords to 10 characters even if you entered more than that. If your password was password1234, you could log in with password12, password12#$, or password1234567890. The original programmer allowed for longer passwords in the database and in his code, but accidentally limited the length of password fields by the way pages on our website were written. Again, once we figured this out we already had thousands of users who were taking advantage of this without realizing it, so we couldn’t easily change it.
  3. As mentioned before, passwords were stored in plain text in the database. This was the result of the naïve belief by the original implementor that password-protecting the database and the server was sufficient to secure this information. This turned out to be true, but we felt we could do better.

The new method addresses all of the above issues:

  1. Passwords are now case sensitive. If your password is PASSword, then you must enter PASSword or you don’t get in.
  2. The new method does not put a practical limit on the length of passwords. There is a limit, but you won’t encounter it unless you want to type for a long, long time. You could create a 1,000,000-character password if you want. It just wouldn’t be practical.
  3. Your password isn’t stored anywhere.

Wait, what? If the password isn’t stored, how are you able to log in?

The way the new system works is that your password is run through what’s called a hash algorithm. This algorithm calculates a unique value that represents your password. So even if a hacker were able to gain access to the database, they would only have indecipherable numbers, not your password.

The has algorithm is one-way. That is, it’s trivial to calculate the hash value from your password, but it is theoretically impossible to generate your password given the hash value. Again, if our theoretical hacker had a list of hash values, they could not reverse-engineer those values and figure out the passwords that generated them.

When you log into your account, we run the password you give us through the same algorithm to produce a hash value, then we compare that number to the number in the database. If they match, you get in. If not, you don’t.

How You Are Affected

Because of the way we phased in the changes, you shouldn’t notice anything different unless you were accidentally using upper/lower case in a way that didn’t match your original password. If your password is longer than 10 characters, we’ll still use just the first 10 characters to log you in. If you create a new password that is longer than 10 characters, we’ll use the full password.

As mentioned before, changing the way passwords are stored and used on our site and in our apps affects virtually everything we do:

  • Obviously, logging into your account on our website is affected.
  • Viewing the list of books you own from inside one of our apps depends on PocketBible being able to log into your account.
  • Synchronizing your notes/highlights/bookmarks with the Laridian Cloud depends on PocketBible being able to log into your account.
  • PocketBible for Windows Desktop uses an older version of synchronization with our iPocketBible.com server, which is different than the other apps use and takes a different path to log into your account.
  • Requesting a password-reset link from our site works the same way as before but internally is significantly different.

As a result, there could be problems in some remote corner of one of our apps or on our website that we haven’t discovered yet. If you run into any problems, contact us at support@laridian.com.

Reading Through the Bible in 2020

Every year, our church encourages members to start a program of Bible reading with the goal of reading the entire Bible by the end of the year. Each month we all exchange emails with progress reports and are encouraged to keep going. Despite the planning, the encouragement, and the reminders, about half of those who start don’t finish.

The NIV Bible contains 753,429 words. Divided into 365 equal readings, that would be 2064 words per day. The average person reads at a rate of 200-300 words per minute. If you’re a college graduate, you probably read around 450 words per minute. So reading through the entire Bible can be easily done by most people in 4-1/2 to 8-1/2 minutes per day. Certainly less than 10 minutes.

So why do so many people fail at keeping this goal? The time itself is not the problem; we all have 5-10 minutes sometime in our day to read the Bible. Here are some suggestions on how to get through the Bible this year.

Make it a part of your morning ritual.

We all have a list of things we do like clockwork every day. Wake up. Shower. Shave. Brush teeth. Get dressed. Have breakfast or at least a cup of coffee. Check email and social media. Go to work. The next day it repeats. Maybe on the weekend it happens later in the morning, but it happens.

Put your Bible reading on that list. In my case, I make a cup of coffee and sit down to make my first pass through email, Facebook, and moderation of my church’s email prayer/announcements list. It was easy to add 5 minutes of Bible reading to that schedule.

For you it might be 5 minutes before you even get out of bed. Or while you eat breakfast. The important thing is to find it a place in your morning ritual so that it becomes habitual.

Use PocketBible on your phone or tablet.

You might think this goes without saying, since it’s coming from Laridian, but it’s a valuable point to make. Laridian offers a number of free and low-cost Bible reading plans and devotionals for PocketBible and makes it easy to access each day’s reading and keep track of your progress. Simply tracking your progress by marking each reading as complete will motivate you to keep going and help you catch up if you get behind.

In addition, for most of us, our phone or tablet is with us all day. This makes it easier to take advantage of break-time, commute-time, standing-in-line-time, and other moments in our day to do our Bible reading. Instead of Candy Crush or Facebook, spend those minutes getting your Bible reading done.

Be realistic.

Figure out how much time you want to devote to the Bible and schedule your reading appropriately. 5-10 minutes will get you through the Bible in a year. 10-15 minutes will get you there in 6 months. Don’t set out to get through the whole thing in a month unless you have an hour each day to set aside for Bible reading.

Try a different translation of the Bible.

Because PocketBible reading plans are not tied to any one translation of the Bible, you’re free to experiment with something different. My previous reads through the Bible have always been in the KJV or NIV. So last year I tried the Christian Standard Bible (CSB). This year I’m using the World English Bible (WEB). (Note that neither the CSB nor WEB are compatible with the Windows versions of PocketBible, but work fine in the Android, iOS and Mac OS versions.)

I think the unfamiliar wording of familiar verses helps me comprehend the passage better. For example, the WEB uses “Yahweh” where the KJV, NASB, and NIV all use LORD. Encountering “Yahweh” in the text seems to make God more personal to me – as if he’s more of a character in the story with his own plans, motivations, and ways of interacting with the people I’m reading about. When I just see LORD in the text, he seems to just blend in and is more of a nameless force or entity in the background. It’s a subtle but important difference in the way I’m perceiving the text.

Last year I ran into the phrase “half the tribe of Mannaseh” (vs. the more familiar – to me – “half-tribe of Mannaseh”). I found this confusing, since I had always assumed the “half tribe” title was because Mannaseh and his brother Ephraim shared the inheritance of their father Joseph (each was half the tribe of Joseph). Running into this wording in verses such as Deuteronomy 3:13 caused me to realize the title is based on the fact Moses gave land on the east side of the Jordan to half the tribe of Manasseh and land on the west side to the other half. The important point here being that running into an unfamiliar phrase caused me to stop, ask the question, and go looking for an answer.

Don’t tell anyone, but it’s OK to skim some passages.

I had a person tell me that they were doing fine reading through the Bible until they got to “the part with all the ‘begots'”. To be honest there aren’t that many of these, but they are mind-numbing. Come back some time and look at the names in those lists and try to learn more about them, but if those lists are what’s keeping you from getting through the rest of the text, just scan ahead to where the story picks up and keep reading from there.

You may run into other places you just can’t get through. I get bogged down in the various sacrifices, dimensions of buildings, descriptions of furniture and draperies, and quantities of items plundered in battles. It’s ok to skip ahead a few verses. None of these are that long. Don’t let a verbal description of an architectural diagram keep you from finishing your reading.

Read it in a different order.

The order in which the books of the Bible appear isn’t ideal for reading through from start to finish. The Old Testament is ordered by genre – first the books of Moses (the Pentateuch), then history, wisdom/poetry, major prophets, and minor prophets. The New Testament follows a similar model, but more by author – first are the gospels; then history; letters from Paul (kind of in order by length, longest to shortest); the letter to the Hebrews (which some argue was written by Paul, but the author is generally considered to be unknown); letters by the apostles James, Peter, John, and Jude; and finally the New Testament’s only book of prophecy.

This year I’m reading through the Bible in chronological order using The Harmony Bible. The author of The Harmony Bible has rearranged the text so that you read about events in the order they occurred, not the somewhat random order that they appear in the Bible. So Job is inserted into the Genesis narrative. David’s psalms are inserted into the stories of his life. The prophets are inserted into the historical narratives, primarily in the books of Kings and Chronicles. In the New Testament, letters to the churches are intermingled in the book of Acts.

Other alternatives include reading a little from the Old and New Testament each day, which is what I did last year.

Some of the devotional books for PocketBible include short commentary or homiletic passages for each day. These can provide context for the passage and help you find application for what you’re reading in your daily life.

Be accountable.

I have really benefited from my email group that is made up of people who are all reading through the Bible at the same time. Find some other people in your church who want to read through the Bible. Meet together or at least exchange emails throughout the year to discuss what you’re reading. Encourage each other to keep reading. Ask your partner what was in those passages you only skimmed. 🙂

Don’t stop.

If you miss a day, keep reading the next day. PocketBible lets you adjust your reading schedule to account for missed days. If it ends up taking you an extra couple of days or weeks to get through the whole thing, that’s fine. Nobody’s keeping score. Don’t let a missed day derail your entire year. Just keep going.

Photo by Rohit Tandon on Unsplash