Yes. SpiderOak encrypts your data at every stage in the process - from uploading to storage to downloading again. This process ensures complete security and privacy at all times.
SpiderOak is a 'Zero-Knowledge' backup provider. This means that we do not know anything about the data that you store on SpiderOak -- not even your folder or filenames. On the server we only see sequentially numbered containers of encrypted data.
Please note that 'Zero-Knowledge' applies only when using the SpiderOak client. When logging into the website with your password, you are giving the primary encryption key to our servers. We work hard to ensure that this key is kept safe (for instance, by only keeping it in memory and never writing it to disk), but to maintain absolute privacy, you should use only the client.
First, when logging into your account you should be sure you're entering the correct username. Be sure that you are entering your username with the correct capitalization or it will not be accepted. If you created a 'Hint' for your password when you first made your account, you can have that hint sent to your e-mail address by entering your username here: https://spideroak.com/forgot_password
If you cannot find the password hint email, please double check your spam folders in case this email was incorrectly marked as junk. Always check your filter settings to make sure you're able to receive email from SpiderOak.
The short answer is 'yes'. The longer answer is a bit more complicated. The SpiderOak client and server environment contain all the appropriate technical security mechanisms to protect the data that is transmitted to and from the SpiderOak servers. In fact, we built the SpiderOak 'zero-knowledge' privacy environment specifically to handle this task. However, we do not currently employ a HIPAA compliance officer for self-certification.
The services provided by SpiderOak do form a critical part of Data Backup, Disaster Recovery, and Emergency Mode Operations strategies by providing remote accessible backup, storage and restore services that are geographically distant from the client site to minimize the likelihood of data loss in a large-scale disaster. In the event of loss of the primary data center, data located on the SpiderOak cloud can easily, securely and quickly be accessed and restored.
Covered entities are required to comply with the HIPAA Administrative Simplification Security Rule since April 21, 2005. SpiderOak, as part of a comprehensive security plan, can be an important part of your compliance strategy.
SpiderOak is, in fact, truly 'Zero-Knowledge'. The only thing we know for sure about your data is how many encrypted data blocks it uses (which we would have to know to bill for the appropriate amount of storage). On the servers, we only see sequentially numbered data blocks -- not your foldernames, filenames, etc.
How is this reconciled with our ability to do a password reset? The short answer is: It isn't! We cannot reset your password. When you create a SpiderOak account, the setup process happens on your computer (after you download the application) and there your password is used in combination with a strong key derivation function to create your outer layer encryption keys. Your password is never stored as part of the data sent to SpiderOak servers.
As part of the new account setup process, most companies ask users to agree to some "end user licensing agreement", but instead SpiderOak asks users to agree to a "password policy." The password policy basically says that you alone are responsible for remembering your password, and that we cannot help you if you forget the password.
We do allow you to create a "password hint" to help you remember your password. That however, is as far as we go.
More information about this is on our website in the engineering section of our website, which talks about our 'Zero-Knowledge' approach, the password policy, and encryption specifications.
Unless there are significant advances in mathematics (which would be worldwide events and greatly change the world of encryption), password derivation techniques on the SpiderOak key structure are very difficult. The key derivation functions we use are strongly designed to withstand heavy brute force password techniques and pre-computation, such that even on a very modern computer, each password guess takes about one second. So, it could only complete about 32 million password attempts a year. Compared to the number of possible passwords, it would take 100 such computers decades to guess a well chosen password. Of course, if you were to choose a password that is made entirely from words in a dictionary, fewer attempts may be needed to guess it.
This means that you have the ability to increase the security of your data even further by choosing a strong password. We recommend choosing a password with at least eight characters, mixed case and numbers.
If you're seeing this error message when you're sure you've entered your username and password correctly, it might be because you haven't downloaded and installed the SpiderOak application on your computer yet. You will not be able to login to the website until you have initially setup SpiderOak on a computer and uploaded data to your account.
Please note that you can only view data on the web: you can only upload data from the SpiderOak application on your computer. Our graphical client uses advanced encryption keys to keep your data absolutely secure and private, so we only allow uploads from the client: the webpage will only allow you to view files you've already uploaded and download them to any computer, not upload new data.
This might also occur if you have enabled Two Factor Authentication on your account and you are not adding your token to your password. Please see our Two Factor Authentication FAQs for more information.
If your SpiderOak device is stolen or lost, to keep someone else from seeing data in your SpiderOak account, you need to follow these two steps:
1) Login to your account on the web and De-Authorize the stolen device. This will prevent it from receiving any further updates from the server of any kind, and will cause the server to disallow future storage connections from the device. To do this, click on the "Devices" button in the navigation bar along the top of the web storage page. Find the stolen device in the list and click "deauthorize". If success is indicated, move to step 2.
2) Change your SpiderOak password. This can be accomplished by going to "Account" within the SpiderOak application.
We strongly recommend that you create a hint because losing your password can cause you to lose access to all of your backed up data. If you lose your password you will lose access to your account. We cannot recover or reset your password for you, even in emergencies.