PrintSecurity
Engrade takes extensive measures to ensure that storing grades on Engrade is vastly more secure then storing them on any school machine. Engrade has operated since 2003 and has never had a security breach. These are the security steps we take to ensure your data is safe:
1. Engrade's web servers run a LAMPS-only (Linux, Apache, MySQL, PHP, and SSH only) configuration. Our servers do not run any other external daemons such as Sendmail or FTP. None of our servers operate on Windows.
2. Data on Engrade is stored in a RAID1 configuration, which automatically saves all data on dual redundant hard drives for reliability. Engrade also makes a daily back up of all data on a separate onsite server, plus an additional once daily encrypted back up to a remote server.
3. All of our servers are stored in a multi-zoned, card-based-access server center.
4. Absolutely no user data is stored on any employee laptops or desktops. In the event of a theft, no user data will be compromised.
5. All user passwords are encrypted in our database as a non-reversible, salted hash.
6. All scripts are rigorously tested for security holes.
7. Our log in system prevents brute force attacks by automatically blocking any IP address that attempts too many failed logins in a given period of time. An attacker can only average a maximum of one attempt every 30 seconds which makes it computationally infeasible to randomly guess a reasonably complex password.
8. User sessions are assigned a 384-bit string which makes randomly guessing a user session computationally infeasible.
9. Engrade assigns each student Access Code that a 13-bit security hash at the end of the Access code. Students can enter an average of only one Access Code every 60 seconds, making it computationally impractical to guess another student's Access Code. As a further precaution, all information in the student section is anonymous.
10. We prevent SPAM by only allowing confirmed connected users (i.e. student-teacher and teacher-school) to message each other by assigning the relationship a 128-bit token; making it computationally infeasible for an attacker to message a user they are not connected to.
11. https://www.engrade.com is encrypted using a 256-bit HTTPS/SSL key that makes it computationally infeasible for a third party to view web traffic coming to our servers. Because some schools do not allow access to HTTPS, we do allow users to log in using unencrypted HTTP but we HIGHLY recommend against it.
12. Engrade has done the utmost to ensure that our system is secure, but the final level of security relies on the user. All users must choose reasonably complex passwords. Names, phone numbers, and dictionary words are weak password that can easily be guessed; arbitrary mixes of lower case letters, upper case letters, and numbers are much stronger. Users must always log out of their account when they are done. Users must never log into a website using their Engrade login information unless the address of the website begins with http(s)://www.engrade.com/.
1. Engrade's web servers run a LAMPS-only (Linux, Apache, MySQL, PHP, and SSH only) configuration. Our servers do not run any other external daemons such as Sendmail or FTP. None of our servers operate on Windows.
2. Data on Engrade is stored in a RAID1 configuration, which automatically saves all data on dual redundant hard drives for reliability. Engrade also makes a daily back up of all data on a separate onsite server, plus an additional once daily encrypted back up to a remote server.
3. All of our servers are stored in a multi-zoned, card-based-access server center.
4. Absolutely no user data is stored on any employee laptops or desktops. In the event of a theft, no user data will be compromised.
5. All user passwords are encrypted in our database as a non-reversible, salted hash.
6. All scripts are rigorously tested for security holes.
7. Our log in system prevents brute force attacks by automatically blocking any IP address that attempts too many failed logins in a given period of time. An attacker can only average a maximum of one attempt every 30 seconds which makes it computationally infeasible to randomly guess a reasonably complex password.
8. User sessions are assigned a 384-bit string which makes randomly guessing a user session computationally infeasible.
9. Engrade assigns each student Access Code that a 13-bit security hash at the end of the Access code. Students can enter an average of only one Access Code every 60 seconds, making it computationally impractical to guess another student's Access Code. As a further precaution, all information in the student section is anonymous.
10. We prevent SPAM by only allowing confirmed connected users (i.e. student-teacher and teacher-school) to message each other by assigning the relationship a 128-bit token; making it computationally infeasible for an attacker to message a user they are not connected to.
11. https://www.engrade.com is encrypted using a 256-bit HTTPS/SSL key that makes it computationally infeasible for a third party to view web traffic coming to our servers. Because some schools do not allow access to HTTPS, we do allow users to log in using unencrypted HTTP but we HIGHLY recommend against it.
12. Engrade has done the utmost to ensure that our system is secure, but the final level of security relies on the user. All users must choose reasonably complex passwords. Names, phone numbers, and dictionary words are weak password that can easily be guessed; arbitrary mixes of lower case letters, upper case letters, and numbers are much stronger. Users must always log out of their account when they are done. Users must never log into a website using their Engrade login information unless the address of the website begins with http(s)://www.engrade.com/.
