The website is on a UserVoice platform that has a different privacy policy from our other sites. You may view the details at

How do you keep the ORCID Registry secure?

We take the security of the ORCID Registry very seriously. Below are descriptions of some of the security features that we have had in place since our launch:

How do we store passwords?

We do not store passwords in a human-readable form in our databases. Passwords are 1-way hashed using SHA-512 with over 200,000 iterations,and uses a 16-byte salting. It can't be translated back to plain text by anyone who may have access to the database. In fact, we can't even show it back to you once stored, which is why we can't send your password back to you if you have forgotten it. We also added an updated "Forgotten Password" process that provides additional security with the use of a challenge question that you can establish for your account. The answer to your challenge question is encrypted using DES, and can be decrypted so that you are able to see what you have set it to within your account.

Do you encrypt pages and web forms?

We use a 256-bit encryption SSL Certificate on pages used to sign in or register a new user, and whenever the user is using the Registry section of the website.

What other security controls do you have?

All systems are protected with local and network firewalls, and are configured in a minimal manner to reduce the footprint of attack. All configuration is stored in version control, so in the event of any compromise, systems can be rebuilt from bare metal with a known-good configuration.

How do you handle privacy?

We also have a comprehensive privacy policy that governs our use of information that you may share with us either through the Registry, feedback forums, help desk requests, membership inquiries or other ways.

How do researchers set visibility?

A core ORCID principle is the individual’s control over what information is on their ORCID record and who can see it. Next to each item in the ORCID record, there is a privacy selector, which individuals can use to indicate if the item is public (anyone can see); trusted-party (only seen by organizations they have granted access); or private to the individual. In addition, individuals set a default visibility for all new items added to their ORCID record when they register. This default can be adjusted in their account settings. View the ORCID visibility settings for more information.

How did visibility assignment work previously?

Previously, organizations had limited control over the visibility of items they added to an ORCID record. When posting items to the record via the API, the organization could specify a visibility setting. If they chose to do this, we compared the visibility provided by the organization with the iD holder’s default setting and used the more restrictive of the two. In practice this allowed organizations to post information with trusted party (limited) or private visibility, even if the individual had set their default visibility to everyone.

Frequently Asked Questions about ORCID

  1. Is ORCID a commercial operation? Is ORCID run by publishers? How is ORCID governed?
  2. Where is ORCID located?
  3. How are new features decided?
  4. Does ORCID use my data to support advertising services?
  5. How does ORCID handle privacy?
  6. Is there a fee to register for an ORCID iD? Do I need to be a member to register?
  7. What are the ORCID principles?
  8. What does "ORCID" stand for?
  9. How do I stay in touch with the latest developments?
  10. Is ORCID interoperable with national, institutional, and other identity systems?
  11. What is the organizational structure of ORCID, Inc.?
  12. How do I become an ORCID member? Are there fees involved?
  13. What are ORCID's data security policies?
  14. What can I do if I have concerns about data in the Registry?
  15. What technology powers ORCID?
  16. What is the relationship between ISNI and ORCID?
  17. How do I or how does my organization get involved with ORCID?
  18. How often does ORCID hold community outreach meetings?
  19. What is the relationship between the ORCID Initiative and ORCID, Inc.?
  20. What is your data model?
  21. Can ORCID send a technician to help us with our implementation?
  22. Why isn’t there more metadata in the ORCID record? Do you support Dublin Core?
  23. Can we data-mine abstract or full text information through the ORCID API?
  24. Why aren’t ORCID records complete? Who curates ORCID records? Can ORCID de-duplicate my author database?
  25. How do you keep the ORCID Registry secure?
  26. How do I get the public data file?
  27. Why do organizations use ORCID records?
  28. Number of ORCID iDs

Feedback and Knowledge Base