We've designed the system so that no one, including SailPoint or your administrators, has access to your passwords except you. They are encrypted (i.e. scrambled) on your computer, using a secure code called an encryption key that is created based on your password. The code is referred to as a local encryption key because the key is stored on your computer so no one else can decode it. Only the encrypted version of the passwords is sent to IdentityNow.
If you change your password on a different device than the one you normally use or if you change it outside of IdentityNow, you will be prompted to provide your old password as part of the reset process. This is because the system needs your original local encryption key to access the data in your password vault and then generate a new encryption key based on the new password.
IdentityNow also sends you an email notification anytime your IdentityNow password or an app-specific password changes.
We also protect your IdentityNow account from brute force attacks by locking it if someone enters the wrong password too many times. In addition, we prevent IdentityNow password resets under certain circumstances.
For more information, see: