Oops! I committed my password to GitHub!

Transcript

1. Oops! I Committed My Password to GitHub! Miguel Grinberg

2. About Me • Flask Web Development • The Flask Mega-Tutorial

   • The Flask Webcast • Software Dev @ Rackspace • APIs, Microservices, Security • blog.miguelgrinberg.com • github.com/miguelgrinberg • @miguelgrinberg

3. Did you ever commit a password to source control? “Yeah,

   but it was by accident” “Yeah, but it’s fine because...”

4. How (not) to fix a password leak accident Make a

   new commit with the password removed Rebase the commit

5. How to fix a compromised password for real REVOKE IT!

6. Preventing Password Leaks in Code password = ‘HeyDontLookAtMyPassword!’ secret_key =

   ‘fhgj5khl7D56Hj89’ database_url = ‘mysql://user:password@server/db’ password = ‘HeyDontLookAtMyPassword!’ password = os.environ[‘PASSWORD’] secret_key = ‘fhgj5khl7D5GHj89’ secret_key = os.environ.get(‘SECRET_KEY’) database_url = ‘mysql://user:password@server/db’ database_url = os.environ.get(‘DATABASE_URL’, ‘sqlite:///’)

7. Adding secrets to the environment .profile, .bashrc or other user

   config files .env file for your project (add it to .gitignore) Do not type passwords in your shell!

8. Demonstration

9. If the environment is not enough Vault (Hashicorp) Parameter Store

   (AWS) Secret object (Kubernetes) Ansible Vault

10. DO NOT write passwords or tokens in your code DO

    import secrets from the environment or a secrets store DO revoke any secrets that might have been compromised DO NOT use services that don’t offer easy revocation DO NOT use the same password for more than one service DO NOT use the same credentials for all users DO’s and DON’Ts

11. Thank You! @miguelgrinberg