← Home

Security

Plot is engineered with bank-grade security practices from the ground up.

Passwords

Hashed with Argon2id · the memory-hard algorithm recommended by OWASP · with a unique salt per user. We can't see your password, and a leaked hash is impractical to reverse.

Encryption at rest

Sensitive secrets such as your two-factor seed are encrypted with AES-256 (authenticated Fernet) before they ever touch the database.

Two-factor authentication

Optional TOTP (Google Authenticator, 1Password, Authy) plus one-time backup codes stored only as hashes. Turn it on in Account & Security.

Sessions & cookies

Sessions are random 256-bit tokens; only their SHA-256 hash is stored. Cookies are HttpOnly and SameSite=Lax, are revocable, and rotate on password change.

Defense in depth

Responsible disclosure

Found a vulnerability? Email [email protected]. We appreciate and credit responsible reports.

What's new · v1.1.0

Loading…