Security Practice

Never plaintext. Never unsalted. Never fast.

Dictionary attacks, crack rates, and why argon2id exists.

Why SMS is the floor, hardware keys are the ceiling, and recovery is the weakest link.

Why password reuse is catastrophic — and the four defenses that actually move the needle.

Tokens, JWTs, refresh, revocation — and why 'JWTs can't be revoked' is a half-truth.

Env vars, secret managers, the .env-leak problem, and the 12-factor compromise.

Dependency confusion, typosquatting, malicious post-installs, SBOMs, sigstore.

Layered controls, least privilege, network segmentation, and the honeypot in your VPC.

Detect → contain → eradicate → recover → learn. Don't power-off the box.