Graphlytic user password
Passwords of Graphlytic users are stored encrypted. BCypt encryption function is used (see Bcrypt on Wikipedia). This function is used at OS: BSD, SUSE Linux and other. It is generally considered safe for this purpose.
Browser - Graphlytic
Connection between Browser and Graphlytic should be configured to use HTTPS. Graphlytic is delivered with configuration to use self signed certificate for HTTPS. You can use your own valid certificate for HTTPS.
You can also use Apache with HTTPS configured and communication between Apache and Graphlytic should be configured to use HTTP.
Graphlytic - Neo4j
Connection between Graphlytic and Neo4j can be configured to use Bolt or REST. REST communication is mandatory because this is only way how to communicate with Graphlytic Neo4j plugin. If Bolt communication is enabled all communication with Neo4j uses Bolt, only communication with Graphlytic Neo4j Plugin uses REST.
Bolt protocol is configured to use TLS encryption with trust on first use. See more in Neo4j Driver.
REST protocol can be configured to use HTTP or HTTPS. You need import Neo4j server certificate into Java default truststore to use HTTPS. See more in Neo4j security.
Example how to import certificate into default Java truststore (default password for default Java truststore is "changeit"):
See more information in Oracle documentation.