Encrypted backups

During the last few weeks we've been working on making our backup process and storage more secure. You might have heard recently of a number of cases where passwords have been exposed by hackers on websites including LinkedIn, Last.fm, and most recently Yahoo!.

So what have we done exactly?

All passwords stored in your database will now encrypted using the Blowfish (bcrypt) cypher rather than the older MD5 standard. The advantage of Blowfish for password-hashing is that the algorithm is slow by design thus thwarting most brute-force dictionary attacks.

By slow we mean it can take around 1/10 of a second to generate or to test a single password. This means that if the contents of your database are ever exposed it is highly unlikely that user login details will be compromised.

We still encourage use of 'strong' passwords and keeping them safe by not writing them down or sharing them with others.

Secondly, we have moved to a new backup system which creates daily incremental, encrypted backups. The encryption in this case uses PGP data encryption meaning that only people with access to a specific key and passphrase can access file contents.

Again, this is to ensure that if our backup files, which are stored in various onsite, offsite and online locations, are exposed that noone else will be able to read the contents.

Word of warning

Regardless of any steps we take to protect your passwords and data, this can always be compromised by:

• writing down or sharing your password;
• using passwords than can be easily guessed;
• logging in from a virus-infected computer (at home or abroad); or
• using the same password for multiple websites.

Full text indexed search »