Can storj inc see the user password?

Hi,

I’m stj, a very nice and polite guy.

Can storj the company see my user password? I’m asking because I want to know if I can use the same account password that I use to log into the dashboard website as I use for the encrypted bucket.

No, they can’t see your password or encryption passphrase. But I wouldn’t recommend using the same one. It’s best to use a long passphrase like the automatically generated ones. Those are generated locally in browser, so Storj never sees those either.

Edit: See the post below for why I corrected my above reply. If it’s not implemented as 0 trust, I’m not comfortable saying they can’t see your account password. The recommendation remains the same as always, use a password manager with random generated passwords and never reuse passwords (even in the same environment).

3 Likes

We don’t normally see your account password, as we don’t log it and it is stored in an encrypted and salted form. However, we could see it if a rogue employee with the right access wanted to see it. The password is sent to our servers over an encrypted channel, but the server processes it in plaintext form in order to authenticate it. In addition, a sufficiently motivated person working for our cloud computing provider could probably arrange to capture your password.

This is in contrast to your encryption passphrase, which is never sent to our servers (unless you are using the hosted gateway).

So, for security, it is highly recommended that you not use the same thing for your account password and encryption passphrase.

6 Likes

I’m using rclone. What is the hosted gateway exactly?

If you’re using Storj via rclone with storage type "storj", you’re using Storj directly, not through a hosted gateway. Your encryption password in this case is only ever touched or stored on your local computer.

If you’re using Storj via rclone with storage type "s3", you’re using a gateway (and hopefully you know that you are doing so, and that you are using server-side encryption).

3 Likes

You may read more there: Storj-hosted S3 Compatible Gateway - Storj DCS Docs and Design Decision: Server-side Encryption - Storj DCS Docs
You may also run your own Self-hosted S3 Compatible Gateway - Storj DCS Docs, in this case you can use S3 protocol and still has a client-side encryption.