Strong password
We hash every password with Argon2id (OWASP 2026 params). The plaintext never leaves your browser. The minimum is 8 characters, no other constraint — favour a passphrase of three uncommon words over Tr0ub4d0ur!.
Two-factor (TOTP)
Set up an authenticator app (Google Authenticator, 1Password, Authy, Bitwarden) on /account/security. Scan the QR code, enter the rolling 6-digit code to confirm. From then on, login asks for the code on a separate screen after password.
Sessions list
/account shows every device that’s currently signed in (or has been since cookie expiry). Each entry shows the user-agent, IP, and last-seen timestamp. If you see one you don’t recognise, revoke it from the Sessions card — that signs that device out immediately.
If your account is compromised
- Reset your password from
/password-reset— this invalidates every session on your account, including any attacker’s. - Email [email protected] with
[SECURITY]in the subject so we can prioritise. - Check your gift-card recipient email — an attacker who got into your account would have submitted cashouts to their own address. We hold for 24–72 h before dispatch; if you catch it in that window we can cancel.
Disabling 2FA (rare)
You can disable TOTP from /account/security after entering your password and current 6-digit code. We don’t ship a separate disable flow for lost-device cases yet — email support and we’ll walk through identity proofing.