<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Kokal Limited</title>
    <description>The latest articles on DEV Community by Kokal Limited (@kokal_limited_b7d45823e1d).</description>
    <link>https://dev.to/kokal_limited_b7d45823e1d</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4012892%2F19bdc8f3-7850-4def-acac-33d0c3fdb145.png</url>
      <title>DEV Community: Kokal Limited</title>
      <link>https://dev.to/kokal_limited_b7d45823e1d</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/kokal_limited_b7d45823e1d"/>
    <language>en</language>
    <item>
      <title>How We Stopped Password Reuse From Sinking Our Small Team</title>
      <dc:creator>Kokal Limited</dc:creator>
      <pubDate>Mon, 13 Jul 2026 13:21:52 +0000</pubDate>
      <link>https://dev.to/kokal_limited_b7d45823e1d/how-we-stopped-password-reuse-from-sinking-our-small-team-1e6e</link>
      <guid>https://dev.to/kokal_limited_b7d45823e1d/how-we-stopped-password-reuse-from-sinking-our-small-team-1e6e</guid>
      <description>&lt;p&gt;If you work at a small company, you already know the credential situation: five to twenty people, each juggling logins for email, CRM, payroll, cloud storage, and a dozen vendor portals. Some save passwords in the browser. Some keep a spreadsheet. A few just hit "forgot password" every single time.&lt;/p&gt;

&lt;p&gt;That's not a workflow — it's a breach waiting to happen.&lt;/p&gt;

&lt;h2&gt;
  
  
  The numbers are ugly
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;81%&lt;/strong&gt; of breaches involve stolen or weak passwords (Verizon 2026 DBIR)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;$98,000&lt;/strong&gt; average cost per incident for businesses under 50 employees (IBM 2026)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;65%&lt;/strong&gt; of people reuse passwords across work and personal accounts (NCSC)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That last one is the killer. Reuse means one breached marketing SaaS can unlock your entire stack. As developers, we get this intuitively — it's the same reason you never store secrets in plaintext.&lt;/p&gt;

&lt;h2&gt;
  
  
  What a password manager actually fixes
&lt;/h2&gt;

&lt;p&gt;Think of a business password manager as three controls bundled together:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Generation&lt;/strong&gt; — every account gets a unique secret from a CSPRNG, not &lt;code&gt;Summer2026!&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# what a decent generator does under the hood&lt;/span&gt;
openssl rand &lt;span class="nt"&gt;-base64&lt;/span&gt; 24
&lt;span class="c"&gt;# =&amp;gt; 8f2Kd9xQ1mZ7pL4vR6nT0wYc&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;2. Storage&lt;/strong&gt; — encrypted at rest and in transit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;at rest:     AES-256
in transit:  TLS 1.3
access:      authorized team members only
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;3. Policy enforcement&lt;/strong&gt; — admins set minimum standards, require MFA on the vault, and audit who touched what.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to screen for (the dev checklist)
&lt;/h2&gt;

&lt;p&gt;Consumer tools and free personal vaults skip the parts teams need. When evaluating, look for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Admin console&lt;/strong&gt; with shared vaults per department (finance, ops, eng)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Role-based access&lt;/strong&gt; — admin / editor / viewer, not "everyone gets everything"&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Instant revocation&lt;/strong&gt; when someone offboards&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Audit logs&lt;/strong&gt; so credential access is traceable&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MFA enforcement&lt;/strong&gt; on the vault itself&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If a tool can't do role-based access and instant revoke, you're back to sharing secrets over Slack — which defeats the entire point.&lt;/p&gt;

&lt;p&gt;CISA explicitly recommends password managers as a core control for organizations of &lt;em&gt;any&lt;/em&gt; size. Pair one with MFA and you've closed the gap most SMB breaches walk right through.&lt;/p&gt;

&lt;h2&gt;
  
  
  The takeaway
&lt;/h2&gt;

&lt;p&gt;You don't need an enterprise IT team to fix credential hygiene. Pick a manager with real admin controls, generate unique passwords everywhere, turn on MFA, and audit access quarterly. It's the single highest-leverage security move a small team can make in an afternoon.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://strongpassfactory.com" rel="noopener noreferrer"&gt;strongpassfactory.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>passwordsecurity</category>
      <category>onlinesafety</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>Passkeys for SMBs: Going Passwordless in 2026 (A Developer's Guide)</title>
      <dc:creator>Kokal Limited</dc:creator>
      <pubDate>Mon, 13 Jul 2026 13:20:39 +0000</pubDate>
      <link>https://dev.to/kokal_limited_b7d45823e1d/passkeys-for-smbs-going-passwordless-in-2026-a-developers-guide-2i82</link>
      <guid>https://dev.to/kokal_limited_b7d45823e1d/passkeys-for-smbs-going-passwordless-in-2026-a-developers-guide-2i82</guid>
      <description>&lt;p&gt;If you build or maintain internal tools for a small team, you've probably watched passwords rot from the inside: reused across a dozen SaaS apps, pasted into Slack, parked in a spreadsheet named &lt;code&gt;logins_final_v2.xlsx&lt;/code&gt;. Passkeys fix the root cause. Here's the developer-level version of why, and how the flow actually works.&lt;/p&gt;

&lt;h2&gt;
  
  
  Passwords vs. passkeys, architecturally
&lt;/h2&gt;

&lt;p&gt;A password is a &lt;strong&gt;shared secret&lt;/strong&gt; — you know it, the server knows it, and anything on the wire between you can grab it. A passkey is a &lt;strong&gt;FIDO2 credential&lt;/strong&gt; built on public-key cryptography. Your device holds the private key; the server only ever sees the public key.&lt;/p&gt;

&lt;p&gt;That single difference kills whole attack classes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Phishing&lt;/strong&gt; — there's nothing to type, and the credential is bound to the origin.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Breach leaks&lt;/strong&gt; — the server never held your private key.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential stuffing&lt;/strong&gt; — each assertion is scoped to a specific domain, so it can't be replayed.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The flow
&lt;/h2&gt;

&lt;p&gt;Registration stores a public key. Authentication is a challenge/response the server verifies against it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="c1"&gt;// Authentication (simplified WebAuthn)&lt;/span&gt;
&lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;assertion&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nb"&gt;navigator&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;credentials&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
  &lt;span class="na"&gt;publicKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="na"&gt;challenge&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nx"&gt;serverChallenge&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;        &lt;span class="c1"&gt;// random bytes from your backend&lt;/span&gt;
    &lt;span class="na"&gt;rpId&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="s2"&gt;yourapp.com&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;               &lt;span class="c1"&gt;// origin-bound: phishing-resistant&lt;/span&gt;
    &lt;span class="na"&gt;userVerification&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="s2"&gt;required&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;      &lt;span class="c1"&gt;// face / fingerprint / device PIN&lt;/span&gt;
  &lt;span class="p"&gt;},&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;
&lt;span class="c1"&gt;// Device signs the challenge with the private key.&lt;/span&gt;
&lt;span class="c1"&gt;// Backend verifies the signature against the stored public key.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The private key never leaves the authenticator. No secret crosses the network — just a signature over a one-time challenge.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why it matters for small teams
&lt;/h2&gt;

&lt;p&gt;You don't need an enterprise identity platform to benefit. In 2026, Google Workspace, GitHub, Slack, and basically every major business app accept passkeys out of the box — no new software, no dedicated IT hire.&lt;/p&gt;

&lt;p&gt;The payoff is concrete:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The Verizon 2026 DBIR attributes &lt;strong&gt;81% of breaches&lt;/strong&gt; to stolen or weak passwords.&lt;/li&gt;
&lt;li&gt;IBM's 2026 report puts the average breach cost for sub-50-employee businesses at &lt;strong&gt;$98,000&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Google measured passkeys cutting login time by &lt;strong&gt;~40%&lt;/strong&gt; with a higher first-attempt success rate — which for a small shop means fewer reset tickets and "I'm locked out" pings.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Where passwords still hang around
&lt;/h2&gt;

&lt;p&gt;Passkeys aren't a silver bullet. You'll still want a password (or recovery flow) for account bootstrap, legacy systems without WebAuthn support, and cross-device recovery when someone loses their only authenticator. Treat passkeys as the default and passwords as the fallback, not the reverse.&lt;/p&gt;

&lt;p&gt;If you're rolling this out across a team, start by enabling passkeys on your highest-value accounts (email, code host, cloud console) and work outward.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://strongpassfactory.com" rel="noopener noreferrer"&gt;strongpassfactory.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>passwordsecurity</category>
      <category>onlinesafety</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>Test Published</title>
      <dc:creator>Kokal Limited</dc:creator>
      <pubDate>Mon, 13 Jul 2026 13:14:14 +0000</pubDate>
      <link>https://dev.to/kokal_limited_b7d45823e1d/test-published-2ec4</link>
      <guid>https://dev.to/kokal_limited_b7d45823e1d/test-published-2ec4</guid>
      <description>&lt;h1&gt;
  
  
  Test
&lt;/h1&gt;

</description>
      <category>security</category>
    </item>
  </channel>
</rss>
