Vessel Passport uses a computationally intensive process for deriving a set of related private key that are tied to your login factors (email, password, and pin). Vessel makes use of 3 million rounds of PBKDF2 in SHA512 mode to create a significant computational cost for attackers who might think to try to attack a Vessel Passport via brute force methods. Since Vessel is non-custodial, the resulting keys never get transmitted anywhere else and are only used to locally generate your Web3 identity tokens and to sign on-chain cryptocurrency transactions in a secure manner.
The above process is carried out using your email address, a very strong 12+ character password, and a 6-digit PIN number as entropy sources to create a solid balance between reproducibility from memory, and high entropy requirements to make Vessel wallet cracking computationally infeasible. The password chosen must also pass an API check with https://haveibeenpwned.com to verify it’s not a previously known breached password.
For verified credentials issued by Vessel credential servers, these are stored in an encrypted-at-rest format using a dynamically generated private key that is tied to your unique login factors. They are only accessible when you're correctly logged in with the exact set of email/password/PIN factors. The cryptographic credential assertion tokens themselves are also only valid when presented in a request with a valid Web3 auth token that matches the Web3 ID the tokens were issued to. Because of this, there’s no risk of anyone stealing or abusing just the credential tokens themselves without also having the ability to generate the correct matching self-signed Web3 ID token that goes with it.
Regarding crypto activity, users should be aware that anything that is signed or transacted on-chain will be always visible to all users via blockchain explorer websites which is something that all wallets are at the mercy of, given that blockchains are public ledgers.