Tonido's design puts security first and foremost.

Passwords are stored locally

First and foremost, unlike other services, your password and authentication information are only stored on your computer/NAS/Plug. They are not transmitted anywhere else, even to us. So it is not possible for the authentication information to fall into the wrong hands. This is different from other online services where if an information breach occurs all instances are compromised.

General

• Profile creation is not allowed from a remote location (other than a local machine) by default
• Profile deletion is not allowed from a remote location (other than a local machine) by default
• Tonido software has been audited independently for security issues by a security firm

HTTP

Most of Tonido's UI is accessed via the browser

• Tonido supports SSL connections for example you can use https://<yourname>.tonidoid.com to connect to your tonido software which will ensure all data is transferred securely including your authentication information.
• Tonido login is valid only for the browser session and once the browser is closed and reopened, you will have to re-authenticate yourself.
• Logging in remotely can optionally require answering a secret question and password. This prevents phishing attacks so no one can masquerade as your Tonido URL.
• Text, HTML flowing from a remote location is always filtered to prevent Cross-site scripting attacks

Security Best Practices

•  Security requires that users are responsible when using any software including Tonido. This means that first, they will need to understand all the risks that are present and learning how to protect themselves and their computer from threats.
•  Use strong passwords. Change the password often. Don't write down the password. And use a password that is unrelated to your other passwords.
•  For even more security, setup and use a strong secret question and answer. Choose a question that is unique to you. Choose an answer that is as hard as your password.
•  If you are accessing Tonido remotely, after completing your session, close the browser.