We minimize the storage and use of any secret material.
In fact, we don’t even have logins into your servers!
We also validate that the public key you are uploading is an actual public key through a simple string check and warn you if it looks like whatever you’re uploading isn’t a public key. We recommend RSA ssh2 keys but also accept DSS. (You can instantly rotate your key everywhere you have access, right in the Userify console!)
To do the job, we only need a user’s public key, so we also don’t currently generate key pairs. I’m not so sure that’s such a good practice, anyway. It’s convenient, but it doesn’t promote safe/secure key education and also requires the vendor to hold your private keys, even if only for a limited period of time. Private keys should be just that. Even worse, keys generated in a virtual server (i.e., an EC2 instance) may not have sufficient entropy.
Userify’s mission is partly educational, to help developers, admins, and non-security-types get up to speed with the awesome capabilities of SSH as well as learn how to use it securely.
Encrypted communications protect everyone
If Userify was ever completely compromised — and even if it stayed compromised — (like if someone could sniff the TLS traffic or spoofed the SSL certificate and was able to maintain a MITM attack), any data loss would be minimal.
We only have public keys. Even your web password is salted and hashed with SHA-256 (certified for Top-Secret Classified materials) right in the web browser before they even get to us! Even if our password database was compromised, those passwords couldn’t be used anywhere else and the plain text of those passwords would only be accessible through brute-force (which for SHA-256, as you know, would pretty much be fantasy at least in our lifetime.)
In terms of security algorithms, we store salted double-hashed SHA-256 passwords which are used to log into the web interface and public keys only. All communications, both server-to-server and user-to-server, takes place through 2048-bit TLS.
Userify takes security and privacy very seriously.