The device password is hashed using SHA-256 before being transmitted to the IronKey Secure Flash Drive over a secure and unique USB channel, and stored in an extremely inaccessible location in the protected hardware. The password is validated in hardware (there is no “getPassword” function that can retrieve the hashed password), and only after the password is validated are the AES encryption keys unlocked. The password try counter is also implemented in hardware, to prevent memory rewind attacks. Typing your password incorrectly too many times initiates a “flash trash” self destruct sequence, which is run in hardware rather than using software.
IronKey gives you the option to back up your device password in case you forget it. This backup is transmitted over SSL to your Online Security Vault after a complex PKI handshake. Your password is also encrypted while in storage. If you log into my.ironkey.com, you will be able to recover your password (displayed in a CAPTCHA for extra protection). Access to my.ironkey.com without your IronKey device is protected with online security practices incorporated by the strongest banks in the world and exceeds FFIEC bank security authentication guidelines. If you do not want to back up your password online simply do not check the checkbox when you create or modify your device password. If you have already backed up your password and do not want it there anymore, you can delete it at anytime from within my.ironkey.com.
