Timeline for Why is storing passwords in version control a bad idea?
Current License: CC BY-SA 4.0
19 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 30, 2019 at 16:52 | comment | added | Steve Sether | I'd agree that calling this a convention is inaccurate and misleading. Conventions are just customs, or "social norms" where you could do it completely differently and it'd be OK as long as everyone else did it that way. The classic example is which side of the street we drive on. We all agree which side, and follow it. But left/right is arbitrary and would (and does) work equally well no matter which the society picked. That isn't the case here. If everyone put passwords in version control, it'd still be bad. | |
| Aug 19, 2018 at 15:59 | comment | added | Todd Wilcox | I would add that in many environments, devs are not allowed access to production systems at all and ops/admins will have to maintain all passwords. Since passwords will expire in 45/60/90/180 days on many systems, devs cannot maintain the passwords and you don't want ops to have to go into the code, so you put all credentials in a separate config file and when ops deploys the build they put the current production password(s) into the config file and update that file when passwords expire. It's possible that devs not knowing production passwords is legally required on federal systems. | |
| Aug 19, 2018 at 8:28 | comment | added | ChatterOne | Also, there may be employees that occasionally work from home. Some of these (and I've known some) use their home PC to develop, instead of their company laptop. This means relying on their home PC's security instead of the company one's. | |
| Aug 17, 2018 at 19:36 | comment | added | Please stop being evil | @NotThatGuy No, convention just means "everyone generally agrees to do it this way". It's important to note, because following conventions is generally really important and valuable in its own right. | |
| Aug 17, 2018 at 17:38 | comment | added | JesseM | In addition to item 4, git is a distributed repo system. Anyone who can clone the repo to, say, a development laptop could lose that laptop, and now passwords are part of that data breach. | |
| Aug 17, 2018 at 6:48 | comment | added | damanptyltd | @OrangeDog unless that history of passwords is a good indicator for future passwords (which doe snot hold true if your passwords are secure and random, but this isn't always the case). | |
| Aug 16, 2018 at 16:24 | history | edited | d33tah | CC BY-SA 4.0 | added 8 characters in body |
| Aug 16, 2018 at 9:58 | comment | added | OrangeDog | Note that when removing passwords from source control, you don't need to purge them from the history: you just need to change the passwords. | |
| Aug 15, 2018 at 22:09 | comment | added | NotThatGuy | "Convention", to me, implies "everyone generally agrees to do it this way, despite it not having any particularly significant advantage, apart from everyone agreeing that it's to be done this way", but you're giving some pretty significant dis/advantages, which leans more towards "this is a bad idea". Removing the parts about convention would improve the answer quite a bit IMO. | |
| Aug 15, 2018 at 16:13 | comment | added | Monica Apologists Get Out | I mean for "stuff other people do" convention works, but it also can mean "stuff other (knowledgeable) people think is a good idea and is common place for a reason". | |
| Aug 15, 2018 at 15:10 | comment | added | Mr. Llama | Also, and to a lesser degree, password history is exposed. If the password has been changed over time, knowing previous passwords may be useful in guessing future passwords should access be revoked. | |
| Aug 15, 2018 at 15:09 | comment | added | Adam Shostack | I'm with @Adonalsium : convention fails to carry your meaning and much better terms are available: poor idea. needlessly risky. etc | |
| Aug 15, 2018 at 13:52 | comment | added | Monica Apologists Get Out | That's a fair take. | |
| Aug 15, 2018 at 13:25 | comment | added | d33tah | @Adonalsium What I meant to say is that it's a pattern related to infosec that is not within best practices and one shouldn't mindlessly follow other people's patterns. | |
| S Aug 15, 2018 at 13:24 | history | suggested | psmears | CC BY-SA 4.0 | Improve wording and grammar |
| Aug 15, 2018 at 13:07 | comment | added | Monica Apologists Get Out | I'm not sure it's fair to call a known anti-pattern of "short passwords" an "infosec convention". | |
| Aug 15, 2018 at 12:49 | review | Suggested edits | |||
| S Aug 15, 2018 at 13:24 | |||||
| Aug 15, 2018 at 11:31 | history | edited | d33tah | CC BY-SA 4.0 | added 327 characters in body; added 198 characters in body |
| Aug 15, 2018 at 11:09 | history | answered | d33tah | CC BY-SA 4.0 |