|NAF Q1 Security Release 2015 – April 8, 2015
NAF Will shortly undergo a security maintenance release. The following changes will take place the morning of April 8, 2015 between 5 and 7 AM EST. There will be no access to websites that are behind NAF for the duration of the update. This includes but not limited to REALTOR Link® and WEB Forms®.
What is in this enhancement:
Moving forward from the day of release, any plain text passwords received by CREA will be salted and hashed (obscured) before being stored in CREA’s database. Any passwords already obscured before being uploaded will not be hashed a second time by CREA. This process will ensure that CREA is no longer aware of any password values. As a result, CREA will no longer have the capability to email forgotten passwords.
NAF Profiles and Permissions
CREA publishes a NAF web service that supplies profile and permissions information regarding Individuals in CREA’s Database. Moving forward from the day of release, rules will be added to limit the group of users available for this service. Integrated applications will only be able to request information regarding users that have logged in to applications registered to a common board, within the last 24 hours.
This change is to restrict the use of NAF by unregistered sites. All currently unregistered sites from legitimate sources will be registered in advance of the release. Moving forward from the day of release, NAF will ensure that all requests from unregistered domains will generate error messages.