Security
Plot is engineered with bank-grade security practices from the ground up.
Passwords
Hashed with Argon2id · the memory-hard algorithm recommended by OWASP · with a unique salt per user. We can't see your password, and a leaked hash is impractical to reverse.
Encryption at rest
Sensitive secrets such as your two-factor seed are encrypted with AES-256 (authenticated Fernet) before they ever touch the database.
Two-factor authentication
Optional TOTP (Google Authenticator, 1Password, Authy) plus one-time backup codes stored only as hashes. Turn it on in Account & Security.
Sessions & cookies
Sessions are random 256-bit tokens; only their SHA-256 hash is stored. Cookies are HttpOnly and SameSite=Lax, are revocable, and rotate on password change.
Defense in depth
- Account lockout after repeated failed logins; login responses are enumeration-safe.
- A strict Content-Security-Policy and hardened headers (X-Frame-Options, nosniff, Referrer-Policy).
- Strict per-user data isolation enforced at the database layer.
Responsible disclosure
Found a vulnerability? Email [email protected]. We appreciate and credit responsible reports.