About password security and encryption

We take the responsibility of securing passwords very seriously. Below are several key points on our architecture:

  • Passwords are encrypted with AES-256-bit encryption including 2048-bit RSA public key, with unique keys for each customer and secure random keys unique to each password.
  • The RSA private keys are encrypted with a secure, random RSA key passphrase and stored in an isolated bucket that is locked down to only allow access from our servers as required for decryption.
  • The decryption process takes place server-side, however the private key passphrase (and the private keys themselves) are not stored in the database. The private keys are stored in a secured bucket that is only accessible via the servers used for decryption. Encryption is done in a two-step process whereby each password is salted/encrypted via AES-256. The encryption key for each password is further encrypted using the public/private key for the account (with the private key also having a separate passphrase, not stored in the DB).
  • Decrypted password data is never written to disk.
  • To decrypt the data, an attacker would effectively need to access each element of our encryption process, making it very difficult. i.e. if the attacker was able to somehow access the encrypted data in our database, the passwords would not be decryptable without the other pieces. The web servers themselves are also locked down with multiple firewalls, whitelisting incoming/outgoing traffic, key-based access, etc.
  • Access to the entire IT Glue app is limited to strong SSL encryption over HTTPS.
  • Access to passwords can be controlled at a granular level by limiting access to any combination of users and groups.
  • All password changes are version controlled and immutable, with full roll-back capabilities.
  • Revealed passwords only remain visible for a short time, with each reveal resulting in an audit trail entry.
  • Default strong random password generator (32 character default).
  • In addition to password encryption in transit and at rest, we also operate a SOC 2 security assurance program.
  • With optional multi-factor authentication (MFA) enabled, users cannot log in to the app and view any passwords without having their username, password, and virtual appliance, thereby securing enabled IT Glue IDs.
Was this article helpful?
15 out of 16 found this helpful
Have more questions? Contact us