Concord Security, Privacy, and Strong Passwords

Concord was built using a number of industry-standard security systems to protect your data. These methods take many practical steps to avoid the common issues that trouble many services on the Internet.

The Privacy of Your Data

We take the privacy and security of your data seriously. 

Our privacy policy is written with the idea that the data you place in Concord are yours. The policy states that the Church will not access your data without your consent or unless the Church has a legitimate legal reason to access it.

We hope both our privacy policy and our various security protections will give you confidence to trust us with your data.

Passwords

The only way that Concord knows which account is yours is when you log in with your unique username and password. If someone else is able to guess your password, then many of our security protections are rendered ineffective. As such, we ask our users to create a strong password with the following requirements:

Passwords must be 11 characters (or longer)

There must be at least 1 uppercase and lowercase character

The system also checks to make sure your password does not contain common words or elements of common passwords that hackers could use to break your password more easily.

TIP: If you are using your own computer you can use your web browser's password “save” functionality to always remember the password for you. By doing this, you won't have to type the password every time. See the knowledge base article here for instructions on how to set up your browser to do this. 

NOTE: To protect your Concord account, do not save your password if you are on a public or shared computer.

Additional Protections

Here are some additional security protections: 

  1. We protect the networks used by our servers with a number of standard security measures including firewalls and unified threat management systems.

  2. We have an independent cybersecurity organization run periodic penetration tests on the Concord infrastructure and in the Concord application itself. We prioritize the repair of any findings.

  3. We developed Concord with the Java Spring Security framework to help protect against common code-based attacks.

  4. We install a minimal number of packages on the Concord servers and patch them regularly. This protects against using software with known security vulnerabilities.

  5. All communications between our servers and yours are encrypted using SSL/TLS certificates. Our certificates use an RSA 2048-bit key, have HTTP Strict Transport Security (HSTS) enabled, and have disabled protocols that could be used to execute a downgrade attack on the certificate.

  6. All passwords are protected with a 10-round bcrypt hashing algorithm using a 128-bit salt and 184-bit hash.

  7. Data fields that could contain sensitive data such as citations, comments, lists, etc. are stored in the Concord database using AES-128 encryption with a SHA-512 hash.

We take the security of your data seriously. If you believe your account data has been compromised in any way, please contact the Customer Care Center at 1-617-450-2700. We hope you trust Concord to store your data securely.