Oops! I Committed My Password to GitHub! Miguel Grinberg

About Me ● Flask Web Development ● The Flask Mega-Tutorial ● The Flask Webcast ● Software Dev @ Rackspace ● APIs, Microservices, Security ● blog.miguelgrinberg.com ● github.com/miguelgrinberg ● @miguelgrinberg

Did you ever commit a password to source control? “Yeah, but it was by accident” “Yeah, but it’s fine because...”

How (not) to fix a password leak accident Make a new commit with the password removed Rebase the commit

How to fix a compromised password for real REVOKE IT!

Preventing Password Leaks in Code password = ‘HeyDontLookAtMyPassword!’ secret_key = ‘fhgj5khl7D56Hj89’ database_url = ‘mysql://user:password@server/db’ password = ‘HeyDontLookAtMyPassword!’ password = os.environ[‘PASSWORD’] secret_key = ‘fhgj5khl7D5GHj89’ secret_key = os.environ.get(‘SECRET_KEY’) database_url = ‘mysql://user:password@server/db’ database_url = os.environ.get(‘DATABASE_URL’, ‘sqlite:///’)

Adding secrets to the environment .profile, .bashrc or other user config files .env file for your project (add it to .gitignore) Do not type passwords in your shell!

Demonstration

If the environment is not enough Vault (Hashicorp) Parameter Store (AWS) Secret object (Kubernetes) Ansible Vault

DO NOT write passwords or tokens in your code DO import secrets from the environment or a secrets store DO revoke any secrets that might have been compromised DO NOT use services that don’t offer easy revocation DO NOT use the same password for more than one service DO NOT use the same credentials for all users DO’s and DON’Ts

Thank You! @miguelgrinberg