GitHub now scans your repos for Doppler tokens. Tokens found in public repos will be automatically revoked, preventing exposed tokens from being used to access your secrets.
See the official announcement from GitHub at https://github.blog/changelog/2020-12-07-github-now-scans-for-leaked-doppler-tokens
We’re trusted with serving millions of secrets to developers and their apps in a secure, performant, and reliable way. A love for security is built into the core of our DNA and you can help by joining Doppler's Vulnerability Disclosure Program at https://doppler.com/vdp
Want to help improve Doppler's security? Our security.txt shares how to do so safely and securely.
We've rolled out support for our most requested MFA method: security keys! You can now use a YubiKey and other WebAuthn-based security keys as an additional factor during login. Security keys can be added in addition to OTP/Authy, and we support multiple keys from day one. One piece of personal advice: always add a backup key!
We've added support for setting up OTP via a manual key. This is in addition to the primary method of scanning a QR code. If you haven't set up OTP yet, try it out today!
Our users trust Doppler with their secrets. In return, Doppler trusts users to take account security seriously. After all, the most secure systems are still only as secure as their weakest link.
To help improve account security for all users, we'll now prompt you to set up 2FA on your next login. We'll also do so after performing a password reset.
This helps ensure your secrets are shielded from poor password hygiene, which is an ongoing goal of ours.
Protect your account with OTP 2FA, an open standard for two-factor authentication.
To encourage best practices, service tokens are now only displayed once during initial creation. After creation, you'll need to generate a new service token to retrieve its value. This helps ensure that you're using a unique service token for each service.
To help keep customers safe, we now securely check users' passwords against public data breaches. If your password has previously been exposed in a data breach, we'll display a notice during login that requires you to change your password. More info:
We use the k-Anonymity model to anonymously and securely check if your password has been part of any past, public data breaches. Specifically, during login we now take a SHA1 hash of your password. The first 5 characters of this hash are sent to the popular Have I Been Pwned (HIBP) service. HIBP returns a list of all hashes it knows about that start with the same 5-character suffix. Our servers then compare each returned hash against the full SHA1 hash of the user's password. If there is a match, we prompt the user to change their password.
This process can only be performed during login and when changing your password because that's the only time Doppler has access to a user's plaintext password. We store bcrypt hashes of passwords in our database, meaning it would be computationally infeasible to perform this HIBP check at any other time. Additionally, the computed SHA1 hash is used only for the HIBP service and is never persisted outside of application memory.
We'll likely talk more about password security at a future date. For now, we encourage all of our customers to follow these best practices, as we do internally:
Using Single Sign-On providers like Okta or OneLogin? We have great news, you can now onboard your entire organization with our enterprise SAML SSO + JIT (Just In Time) feature. Request access today by reaching out to our enterprise team.
As of today, you can roll your Doppler API key as needed. For owners, the ability to roll any other teammate's API key on the team page is also available.
If you have external team members, like contractors, you're able to create one-off Doppler API keys which grant access to only a single environment.