Tonight we just pushed an update that includes SSL logins for everyone.

Plus, Premium, and Max plans remain SSL secure full time, but now Free, Personal, and Basic plans also include SSL on the login screen. This means your username and password are extra secure when you log into your Basecamp account.

SSL connections are represented by either a lock icon in your browser or URLs starting with https:// instead of just http://

http:// connections will automatically be redirected to https:// connections for login. Once you’re logged in you’ll either stay https:// if you are on Plus, Premium, or Max, or be redirected back to http:// for the rest of your session. The “s” in https means “secure”.

Confused yet? ;) You don’t need to worry about the technical details. What’s important is that your username and password is now kept extra secure when logging into Basecamp. This is a good thing for all Basecamp account holders.

We hope you find the added security on login valuable. We hope it helps you feel more comfortable and secure when logging into your Basecamp account.

Thanks for your continued support.

Note: We also pushed this feature live for Highrise, our web-based contact manager and simple CRM tool.

Cool!

Does this affect API requests? It looks like I’m good to still use http for a non-https enabled account for API requests so I would presume the API is not affected?

/burning the midnight oil all weekend long to try to get something launched next week, hoping for no new issues…

Nope, doesn’t affect the API.

While it doesn’t impact my sites (Plus accounts) I think this is a good move by 37s … good on ya.

I’m not seeing https or any lock icon. I am on Plus account too.

Highrise shows the lock though, just not Basecamp.

Nick, are you sure you haven’t disabled SSL for your account entirely? Log in, click the Settings tab, and make sure SSL is on. If it’s not then it’s going override any SSL on your account.

oops, well that was an easy one for you. :)

If I can have a 37Signals implant for my brain then I may be able to think straight on a Monday morning.

Are there plans to stop sending passwords in the clear via email (especially for the account owner)? Doing so seems like a bigger potential security issue than logging in without SSL.

Not to say that SSL logins aren’t spiffy – every little bit helps!

Nathaniel: We do have plans to make some changes there, yes, but they are fairly deep changes that are going to take some more time. This was a much quicker win for everyone (us and our customers) so we started here.

I’d enable SSL on my account but it simply slows down the application too much.

Yup, SSL is slower. That’s just the nature of the beast unfortunately. It’s a trade of speed for security.

Just curious, I’m assuming that while login is secure the content that is going over the wire while updating writeboards, to-do lists, etc is still transparent to the ISP / network you’re using ? The scenario I’m curious about is whether a company might mine it’s proxy logs to see ‘basecamp’ users.

Thanks for telling us you were doing this. As a result, those with ‘cookies’ that auto-load an ID and password in our browsers were effectively ‘locked out’ until the passwords were able to be recalled. I have several Basecamps I needed to post to prior to getting on a plane and I couldn’t do it. Next time I hope you’d let us know of your imminent changes that could wreck havoc with others ability to use your (normally great) system.

I’m disappointed in the lack of consideration you exercised in how you handled this . . . and I pay you for the privilege of not being disappointed by what could have so easily been communicated and avoided.

Next time you get the notion to make changes - and I hope you do, of course - please consider the impact that your decisions may have on your clients and seek to make the transitions as easy as possible with advance communications about them.

Thank you.

Bill: Sorry this disrupted your flow. If you ever forget your username or password we have a “Forgot username/password” link on the login screen that is entirely self-serve. The email is sent instantly and you should receive it in under a minute.

In general, relying entirely on a browser to remember your login credentials is not recommended for any password-protected system. Your browser can crash, autofill can replaced by new values by accident (this happens to a lot of people a lot of the time), your computer can be damaged, you might be offsite and have to use someone else’s computer to get online. If you don’t remember the username and password you created you will be entirely locked out of the system. It’s important you know your credentials since these are entirely unique to you. Autofill is a convenience, but when it’s the only way to get into something it can be a problem. Trust me, I’ve been there ;)

Either way, we’re sorry this was an inconvenience for you. We’ll keep this in mind for future releases.

Point taken, Jason. And I can’t live without Basecamp . . . so don’t worry about loyalty!

My concern was that people on my projects and I on other Basecamp projects didn’t get the ‘self-serve’ option. Only the account holder receives that. Nonetheless, I hear you about the browser-memory idea. I’ll note the logins in a separate file. Thank you. Keep up the good work. Love the HighRise! Simply elegant and elegantly simple! ;-)

I’m late to the party, but being someone who requested exactly this feature, I want to thank you for the addition.

The red box is ugly and annoying BUT in our case, it does nag at us to get things done. It would be nice if it could be toggled so everyone can be happy…

Basecamp has altered our lives – really, we did not do well without it.

I can do without autofill – it can be more trouble than it is worth.

Keep up the great work – your apps are really valuable in a world of useless apps.

Re: forgot username and password… as the owner of an instance with over 100 users, I sometimes get these messages sent to me with my username and could never figure out why. Today I did.

Guess some people can’t read. The last sentence on the login page says “If you are _, we can send you your user name.” Since this is the only link, and people are clearly frustrated at this point, they just click.

“If you don’t remember your username, please contact _ (your account administrator).”

And make “contact _” a mailto: hyperlink, so that people can easily send that email.

Then put the part that says “If you are___ , we can send your username to the email address we have on file.” below, as a new paragraph, so that people will see it visually separated. And, hopefully, they will then click on the first link, which will actually get them results.