For information on how ORCID is addressing the Heartbeat Bug see Security Update: Heartbeat Bug.
We take the security of the ORCID Registry very seriously. Below are descriptions of some of the security features that we have had in place since our launch:
How do we store passwords?
We do not store passwords in a human-readable form in our databases. Passwords are 1-way hashed using SHA-512 with over 200,000 iterations,and uses a 16-byte salting. It can't be translated back to plain text by anyone who may have access to the database. In fact, we can't even show it back to you once stored, which is why we can't send your password back to you if you have forgotten it. We also added an updated "Forgotten Password" process that provides additional security with the use of a challenge question that you can establish for your account. The answer to your challenge question is encrypted using DES, and can be decrypted so that you are able to see what you have set it to within your account.
Do you encrypt pages and web forms?
We use a 256-bit encryption SSL Certificate on pages used to sign in or register a new user, and whenever the user is using the Registry section of the orcid.org website.
What other security controls do you have?
All systems are protected with local and network firewalls, and are configured in a minimal manner to reduce the footprint of attack. All configuration is stored in version control, so in the event of any compromise, systems can be rebuilt from bare metal with a known-good configuration.
How do you handle privacy?
How do researchers set visibility?
A core ORCID principle is the individual’s control over what information is on their ORCID record and who can see it. Next to each item in the ORCID record, there is a privacy selector, which individuals can use to indicate if the item is public (anyone can see); trusted-party (only seen by organizations they have granted access); or private to the individual. In addition, individuals set a default visibility for all new items added to their ORCID record when they register. This default can be adjusted in their account settings. View the ORCID visibility settings for more information.
How did visibility assignment work previously?
Previously, organizations had limited control over the visibility of items they added to an ORCID record. When posting items to the record via the API, the organization could specify a visibility setting. If they chose to do this, we compared the visibility provided by the organization with the iD holder’s default setting and used the more restrictive of the two. In practice this allowed organizations to post information with trusted party (limited) or private visibility, even if the individual had set their default visibility to everyone.