Zegami account and password security

Managing your Zegami account, password and information security #

Because we work with a diverse range of customers and process data from customers in various sectors including health care, scientific research, manufacturing and human resources we by nature take security very seriously.

All user passwords are stored as a one-way hash, this means that passwords are not saved in plain text and they cannot be reversed back into the original text using an algorithm (unlike encryption which can be reversed with a key).
All passwords must be longer that 8 characters and common patterns such as repeating the username are prohibited.

If you suspect that your account may have been compromised then immediately get in contact at help@zegami.com.

To ensure our public endpoints and user interfaces are secure from attack we have undergone penetration testing from a certified 3rd party supplier. During testing they attempted to use multiple attack vectors in order to compromise our systems and expose sensitive information. The issues and recommended best practices discovered during this testing have all been documented and addressed.

Zegami has a dedicated authentication service which is responsible for issuing auth tokens which can then used by client applications to access services. The Authentication service adheres to the OAuth2 Bearer token spec and has specifically been designed to be separate from the Authorisation service in order that it can be switched out by another customer specified OAuth provider such as:

  • Active Directory Federation Services (ADFS)
  • Azure Active Directory
  • Social authentication providers (via OAuth2)

Zegami uses Macaroons for its tokens which offer a flexible credential system. We then add additional caveats to the token which are used for authorisation. Token expiration is after 2 hours from issue. Once expired a token is invalid and users will be redirected to sign in again.

Powered by BetterDocs