A handful of our friends had some issues with a bad actor recently. Someone got a hold of their password and reset their (hard worked) statistics. This prompted us to add the following functionalities:

2-Factor Authentication​

A password alone can be revealed via numerous methods. After all, it’s just a bit of text. If someone gets your password, normally they can do whatever they want to your account. When you add a 2-Factor Authentication (2FA) in the mix, you get an extra step before you’re allowed to log in. It’s not dependent on your password alone, but a time-based code which is generated by a password manager, or an authenticator app on your phone.

Starting today, you can set up 2FA on your WhatPulse account. Here’s more information on how to do just that.

When you’ve enabled 2FA you’ll be prompted for an extra One-Time Password

2FA is in (semi-)beta. We’ve tested it thoroughly, but would like to see some of you use it before we pull off the ‘beta’ label. ;-) Let us know if you have any issues!

Notifications on Login​

The second feature we’ve added is a simple one: get notified when a login happens on your account. You’ll instantly be in the loop when a login happens, so you can monitor activity on your account.

After getting requests to support different social network platforms besides Facebook (plus the fact that Facebook suddenly broke our client login system), we’ve been revamping the login system to support multiple platforms: Facebook, Google, Twitter, and LinkedIn.

Enter WhatPulse 2.8.4b1​

For this, the client needed to be changed, which is now in beta. WhatPulse 2.8.4 beta 1 is currently on the updater feed (enable “Include beta versions updates”) which makes use of the new system. We’ll walk you through the process below:

Logging into the client​

Starting 2.8.4b1, whenever you want to log into the client you will get redirected to whatpulse.org to do the actual login (the client will open a browser). You can still choose between using an existing account or register a new one.

Login options​

If you’re already logged into the website you will get redirected to the page where you can authorize your client right away. But if you need to log in or create an account, you’ll see the login prompt. As you can see to the left, you can choose between the native WhatPulse login or the 4 available social network login.

Authorize your client​

When logged in, you will get the option to authorize your client by using an existing computer name or create a new computer name.

*Left: a dropdown of all your existing computer names. Right: input a new computer name.*

Other stuff in 2.8.4b1​

The new login system isn’t the only thing changed in 2.8.4b1, it will also recognise the newer Apple computers (type & year) and it has updated support for OpenSSL v1.1 (which Linux users will appreciate). The next beta version will also include support for MacOS Mojave (10.14).

We appreciate your feedback, let us know in the forums what you think about the new login system!

While this is mostly a maintenance release, I couldn’t keep myself from address a couple of feature requests from you guys. I’ll highlight the major changes below and you can find the entire release notes here.

Security​

Sometimes we just have to talk about security. This is one of those times. WhatPulse takes security and privacy pretty seriously, ranging from backend security controls and monitoring to giving you complete control on whats counted and what’s public. In our 15th years (!!!) of existence, we haven’t had any issues.

This update addresses 2 security concerns that we discovered in the last couple of months.

1 — Passwords One is about your password. We don’t save your password, we save a hash of that password so we can compare hashes when you’re trying to login. We had a lot of portability concerns, because that hashing had to be the same on the website and the clients (Windows, MacOS & Linux). That meant the hashing method was held back by the lowest denominator and therefor wasn’t as accurate as we’d hoped. The result was that it only looked to the first 9 characters of the password. If you have a 10 character password, you’d be able to change the 10th character and still get in. Not that earth shattering, but still not what you’d expect.

So, we centralised the hashing and started using the securest modern hashing method we could find.

TL;DR: logins now looks to more then the first 9 characters of your password. Thanks to Caboose700 for the initial report.

2 — Client to website communication The second item on the agenda is the client to website communication. Meaning stats pulses, logins, account refreshes, stuff like that. This communication goes over HTTPS, so it is by default encrypted over the internet.

An awesome user (who rocks, but wishes to stay anonymous — you know who you are!) reported a way to see into the requests from the client to the website, depending you were in the same network as the clients computer and do some hacking magic. Basically they would be able to see what stats you were pulsing. While this is a corner case and pretty unlikely to happen, but as I said — we need to take security seriously.

This update makes sure someone else can’t look into your pulses (unless you make them public on the website) and enables end-to-end encryption.

TL;DR: The client talks more securely to the website.

Phew, security stuff out of the way. Here’s some more fun stuff.

Easier & Quicker Startup​

There have been a couple of changes which make the client startup faster. But it’s also become easier. Why? For one, the client now saves your local settings to the website, so whenever you reinstall the client (or your entire computer) — the client will now ask you if you want to download your old settings. No more manual work. Also, if you’re installing on a brand new computer, the client will present a setup wizard (not Merlin) so that you can quickly set your preferred settings.

Setup wizard. Click headings to show more quick settings.

Other Mentionable’s​

People with high resolutions on should be happy about this one: the text and images in the client don’t look HUMONGOUS anymore.

Also, sometimes in 2.8.1, the keyboard heat map wasn’t loading. We called its mother and it has promised to load each time now.

I’ll close with this other cool addition, which has had me kick myself on not doing this sooner. All the date picker widgets now have a “custom” option on it, where you can select a custom date range for the period you want to see.

I’ll leave it at that for this post, but if you’d like to see all changes — check out the release notes.

As always, you can use the “Check for Updates” button in your settings page to update your current client, or download the installer and update that way.

The system behind these emails was in need of an overhaul. Because it is so popular, the amount of email it sends has been rapidly growing. This has led to a few quirks in the system. It sometimes forgets to send certain people their email and about 1% of the calculations were off. So, time for an overhaul.

I’m proud to present the new version of the Weekly Update emails, with a new and robust system behind it. Check out the new format:

As you can see it contains the same information as the old format, with a few additions. You can now quickly see how you did compared to the previous week. How cool is that?!

Also, don’t panic — but this new report will start appearing in your inbox on Thursday, instead of Friday. Next Thursday will be the first run.

We’ve also made sure that we’ll be able to add more stats to this weekly gem. Stay tuned!

Milestones In WhatPulse 2.8, Milestones were introduced. Milestones are an easy way to remind you to take a small break every hour, or to reward yourself with a cup of coffee once you’ve reached your goal. To get started, check out this article.

Computer History Computer information has been a feature for a while, and now we’re extending it to include Computer History. This new feature allows you to keep track of changes made to your hardware and Operating System over time!

Answer the question; "did that OS upgrade cause my computer to act funny, or did something else?". You can find your history when you click on one of your computers in your public profile. Here’s an example:

CyberMonday 2017 It’s become a tradition on the internet to celebrate CyberMonday after the American Thanksgiving. We have a lot to say thanks for, including you. That’s why we’re chipping in to CyberMonday with a free 2 month Premium membership. All you have to do to redeem is click below! (the code expires on December 1st)

Redeem free Premium here

We hope you have a wonderful holiday season, and Stay Geeky!