Changelog

January 2020 Updates

Enclave Webhooks

Automate your infrastructure with webhooks from Doppler. Get notified when anything in your Enclave project changes.

Brownie Points: Doppler signs the webhook request with a secret you provide to verify it is coming from us.

2FA: OTP Support

Protect your account with OTP 2FA, an open standard for two-factor authentication.

Strengthening Service Tokens

To encourage best practices, service tokens are now only displayed once during initial creation. After creation, you'll need to generate a new service token to retrieve its value. This helps ensure that you're using a unique service token for each service.

Rename Secrets

We are excited to ship one of our most requested features: Renaming Secrets!

Multi-Line Secret Upload

Have you ever needed to upload a multi-line secret like a certificate? Now you can today!

Have I Been Pwned?

To help keep customers safe, we now securely check users' passwords against public data breaches. If your password has previously been exposed in a data breach, we'll display a notice during login that requires you to change your password. More info:

We use the k-Anonymity model to anonymously and securely check if your password has been part of any past, public data breaches. Specifically, during login we now take a SHA1 hash of your password. The first 5 characters of this hash are sent to the popular Have I Been Pwned (HIBP) service. HIBP returns a list of all hashes it knows about that start with the same 5-character suffix. Our servers then compare each returned hash against the full SHA1 hash of the user's password. If there is a match, we prompt the user to change their password.

This process can only be performed during login and when changing your password because that's the only time Doppler has access to a user's plaintext password. We store bcrypt hashes of passwords in our database, meaning it would be computationally infeasible to perform this HIBP check at any other time. Additionally, the computed SHA1 hash is used only for the HIBP service and is never persisted outside of application memory.

We'll likely talk more about password security at a future date. For now, we encourage all of our customers to follow these best practices, as we do internally:

• Use a password manager for every account, regardless of its importance
• Always enable 2FA! (but ideally avoid SMS and Voice 2FA)
• Generate strong, random passwords with your password manager
• Never reuse passwords

🎉 New Year, New CLI

We're proud to announce the release of our new Doppler CLI! This release introduces some exciting new features:

• Forget about Doppler API Keys! Easier, more secure authentication with doppler login
• Manage all your connected devices from the Doppler Dashboard
• Simplified installation, including support for docker, brew, deb/apt, rpm/yum, and scoop. Also available as a standalone binary for Linux, macOS, and Windows.
• 40% faster and only ~3MiB small

All other Doppler client libraries have now been deprecated. This will allow us to more rapidly iterate on features and improve the productivity of our customers.

Thank you to all of our customers for another amazing year. We've got some enormous things cooking for 2020- stay tuned!

Thanks & Happy New Year! 🎉