We monitor industry best practices and real-world threats to ensure the highest possible level of protection for your data. Here’s how Evaluāt protects your passwords.
A product is only as good as its reputation, and the Evaluāt platform’s reputation hinges on our ability to protect the data that our users share with us. We’ve built Evaluāt with security and privacy in mind, and we’re proud of that. Here’s a technical look at how Evaluāt protects passwords for our users.
Updated: September 2016
Why We Care So Much
Why do we take password security so seriously? Because those companies that don’t often end up hurting their users.
Hackers stole 152 million email addresses and passwords of users from Adobe in October 2013, and countless other examples abound. Researchers determined the passwords were poorly encrypted (and not at all hashed, let alone salted). Because many people tend to reuse passwords for multiple websites, the affected users’ Twitter, Facebook, and other accounts were also at risk.
And that attack hits even closer to home. Among those user accounts compromised in the Adobe hack was that of Evaluāt co-founder Lee Emmert. Fortunately, he uses different passwords for every account and so was not adversely affected. That said, it’s not a situation he would ever want to cast upon anyone else.
For those universities that use our login system, we don’t store your password. Instead, we store a hash of your password. Read on below for the details.
For our users at universities that integrate Evaluāt with Shibboleth, OpenID, OAuth, CAS, LDAP, or any of a number of authentication systems, we never even see your password. Your password never leaves the safety of your university environment. Instead, your university takes your username and password and simply tells us you are an authorized user.
What is a Hash?
A “hash” is an a representation of your password, or “signature,” created with a hashing algorithm. Simply put, we don’t store your actual password, just an irreversible signature of that password. We use the bcrypt password hashing algorithm to store a hash of the user’s password obtained during signup, and compare that to the password when logging in.
When you log in, we run the password you enter through the same bcrypt hashing algorithm and create a signature for it. Then we compare that signature with the signature we have on file. If they match, you’re in! If not, you have to try again. In either case, we don’t keep any of the passwords you enter.
We also use a salt to increase security. A salt is a pseudo-random string of characters that we add to your password before we run it through the bcrypt hashing algorithm. Not only does this make the resulting hash even more seemingly random, in the unlikely event a hacker reverse engineers your password, it also makes it more difficult for the would-be hacker to discern between your password and our appended salt string.
In addition to the random salt for each password, we can adjust the “cost.” The cost is the complexity or key length of the hashing algorithm that makes it even more difficult to reverse engineer your password. We set the cost as high as our servers can reasonably support while maintaining a prompt response to your browser. The great thing about bcrypt is that as servers improve we can increase the “cost” over time. This makes the hash even more difficult to reverse engineer as hacker sophistication increases.
Protecting Passwords at Evaluāt
We continue to monitor both industry best practices as well as real-world threats. As techniques for hacking or remediation improve, we will adjust our strategies to compensate.
Keep checking back for the next in the series of articles in which we discuss how we safeguard the privacy and security of our users. Please ask any questions you have in the comments, we’re happy to answer!
If you are a current Evaluāt user, or are considering Evaluāt for your organization, you may wish to share this post with your technology department. As always, the Evaluāt team is here to answer any questions that may come up, so feel free to send us an email or give us a call.