Email security
How Meridian handles email-based authentication and keeps your account safe.
Passwords are never stored in plaintext
Every password is hashed using bcrypt with a per-user salt before it ever touches disk. Even if our database were compromised, plaintext passwords would remain unrecoverable. We never log credentials and never transmit them over unencrypted channels.
Two-factor authentication codes expire in 5 minutes
Time-based one-time passwords delivered via email have a strict 5-minute validity window. Once expired, the code is useless and a new one must be requested. Rate limiting caps requests to one per 60 seconds per account, preventing brute-force enumeration.
Transport-layer protection
All transactional emails are sent over TLS 1.3. We enforce MTA-STS and DNSSEC on our sending domain so that intermediate relays cannot downgrade the connection. SPF, DKIM, and DMARC policies are set to reject, eliminating spoofed Meridian emails.
What we never send over email
Meridian will never ask you to confirm your password, provide a license key, or click a login link in an unsolicited email. Any message claiming otherwise is a phishing attempt and should be reported immediately.