Account Security

Authentication > Account Security

Account Security

DiverDash implements multiple layers of security to protect your account and your dive center data. This page explains the security features in place and offers best practices.

Prerequisites

Before you begin, make sure you have:

• A DiverDash account (see Creating Your Account)

Overview

Security in DiverDash is built around four pillars: password hashing, session management, role-based access control, and company isolation. Together, these ensure that only authorized users can access your data and that each company's information stays private.

Security Features

Password Hashing

DiverDash never stores your password in plain text. All passwords are hashed using bcrypt, an industry-standard algorithm designed to resist brute-force attacks. Even if database records were exposed, your actual password cannot be recovered from the hash.

JWT Sessions

After you sign in, DiverDash creates a JSON Web Token (JWT) session. Key characteristics:

• 30-day expiration -- Sessions last 30 days before you need to sign in again.

• HTTP-only cookies -- Session tokens are stored in cookies that JavaScript on the page cannot access. This protects against cross-site scripting (XSS) attacks.

• Automatic renewal -- Active sessions are refreshed transparently so you do not get logged out unexpectedly.

Role-Based Access Control (RBAC)

Access to features and data is controlled by roles. DiverDash includes four system roles:

Admins can also create custom roles with specific permission sets tailored to your center's needs. Fixed system roles cannot be modified or deleted.

Permissions are cached in memory for performance. When a role changes, the cache is cleared automatically so updated permissions take effect promptly.

Company Isolation

Every user belongs to exactly one company. All data queries are scoped to the user's company. This means:

• You can only see data that belongs to your company.

• There is no way to view, edit, or access another company's information.

• This isolation is enforced at the database query level, not just the interface level.

Company isolation is a foundational security guarantee of the platform.

Best Practices

Password Management

• Use a unique password for DiverDash that you do not reuse on other sites.

• Choose a password that is at least 8 characters long. Longer is better.

• Use a mix of uppercase letters, lowercase letters, numbers, and special characters.

• Consider using a password manager (such as 1Password, Bitwarden, or LastPass) to generate and store strong passwords.

Session Security

• Log out when using shared or public computers. Click your name at the bottom of the sidebar and select Logout.

• Do not share your login credentials with other people. Each team member should have their own account.

• If you suspect unauthorized access, change your password immediately via Password Reset.

Team Access

• Assign the minimum role necessary for each team member. Not everyone needs Admin access.

• Review user roles periodically under Settings > Team > Roles.

• Remove access promptly when a team member leaves your organization. Deactivate or delete their user account from Settings > Team > Users.

Tips

• The Super Admin role is assigned to the first user who registers the company. It cannot be reassigned through the interface.

• If you notice unusual activity on your account, change your password and review the user list under Settings > Team > Users.

• DiverDash does not currently support two-factor authentication (2FA). Use a strong, unique password as your primary defense.

Troubleshooting

Related Pages

• Logging In -- How to sign in.

• Password Reset -- How to recover your password.

• Navigating DiverDash -- Understanding the interface and menu visibility.

Next Steps

• Configure Roles and Permissions to control what each team member can access.