Changelog

Discover what is new and improved with Doppler!

Security
July 22, 2020

We've rolled out support for our most requested MFA method: security keys! You can now use a YubiKey and other WebAuthn-based security keys as an additional factor during login. Security keys can be added in addition to OTP/Authy, and we support multiple keys from day one. One piece of personal advice: always add a backup key!

Security
March 2, 2020

We've added support for setting up OTP via a manual key. This is in addition to the primary method of scanning a QR code. If you haven't set up OTP yet, try it out today!

Security
February 13, 2020

Our users trust Doppler with their secrets. In return, Doppler trusts users to take account security seriously. After all, the most secure systems are still only as secure as their weakest link.

To help improve account security for all users, we'll now prompt you to set up 2FA on your next login. We'll also do so after performing a password reset.

This helps ensure your secrets are shielded from poor password hygiene, which is an ongoing goal of ours.

Security
January 10, 2020

To encourage best practices, service tokens are now only displayed once during initial creation. After creation, you'll need to generate a new service token to retrieve its value. This helps ensure that you're using a unique service token for each service.

Security
January 3, 2020

To help keep customers safe, we now securely check users' passwords against public data breaches. If your password has previously been exposed in a data breach, we'll display a notice during login that requires you to change your password. More info:

We use the k-Anonymity model to anonymously and securely check if your password has been part of any past, public data breaches. Specifically, during login we now take a SHA1 hash of your password. The first 5 characters of this hash are sent to the popular Have I Been Pwned (HIBP) service. HIBP returns a list of all hashes it knows about that start with the same 5-character suffix. Our servers then compare each returned hash against the full SHA1 hash of the user's password. If there is a match, we prompt the user to change their password.

This process can only be performed during login and when changing your password because that's the only time Doppler has access to a user's plaintext password. We store bcrypt hashes of passwords in our database, meaning it would be computationally infeasible to perform this HIBP check at any other time. Additionally, the computed SHA1 hash is used only for the HIBP service and is never persisted outside of application memory.

We'll likely talk more about password security at a future date. For now, we encourage all of our customers to follow these best practices, as we do internally:

  • Use a password manager for every account, regardless of its importance
  • Always enable 2FA! (but ideally avoid SMS and Voice 2FA)
  • Generate strong, random passwords with your password manager
  • Never reuse passwords
Security
February 4, 2019

Using Single Sign-On providers like Okta or OneLogin? We have great news, you can now onboard your entire organization with our enterprise SAML SSO + JIT (Just In Time) feature. Request access today by reaching out to our enterprise team.

Security
October 14, 2018

As of today, you can roll your Doppler API key as needed. For owners, the ability to roll any other teammate's API key on the team page is also available.

Security
October 14, 2018

If you have external team members, like contractors, you're able to create one-off Doppler API keys which grant access to only a single environment.