Protecting your privacy and securing your data is our number one priority. Your pass phrase is encrypted twice before it is stored on the server to prevent anyone but you from recovering the stored pass phrase. The system is designed so that recovering a pass phrase requires action from two people: the person that created the key and a senior level server technician. Neither person can recover the pass phrase without the cooperation of the other person. The system is also designed so that only the creator of the pass phrase can view the pass phrase once it is recovered.
Why Pass Phrase Recovery is Secure
We use two layers of encryption around the stored pass phrase to offer an extremely high level of protection. The outer layer requires our 3072-bit private key to decrypt. This private key is encrypted by our master pass phrase recovery password, which is never written down and is known to only a handful of people who have passed very extensive background checks. Even those who know the master pass phrase recovery password cannot view your pass phrase because of the inner layer of encryption protecting your pass phrase.
Decrypting the inner layer of encryption requires knowing the answers to your security questions. The security questions themselves are only protected by the outer layer of encryption (the few people with access to the private key have access to your security questions). Thus, you should choose questions that are difficult for another person to answer (and yet will be something you will never forget). The more questions you use the harder it is to break the inner layer of encryption. Each additional question makes it exponentially more difficult. We recommend using at least four security questions to protect your pass phrase. The answers to your security questions are only used to encrypt the pass phrase and are never sent across the Internet, stored on the server, or remembered by the backup software.
In accordance with the widely accepted principle that "security through obscurity" cannot be solely relied upon for the security of a system our algorithm to securely escrow your pass phrase and the recovery process are detailed in the product documentation, which can be viewed after you accept our license agreement.
Posted by Kevin Hoffman on May 22, 2006 06:55 PM