Stop storing corporate credentials in Google Docs or Slack

Amet Umerov
Oct 14 · 5 min read

I’ll describe basic things about how I generate and store my passwords and how to easily transfer credentials inside the company on a simple example.

Motherland hears // Original: http://vasya-lozhkin.ru/pictures/rodina-slyshit/

How do I generate and store my personal or corporate passwords

I used to have one strong password many years ago for all my services (email, social network, and few sites), I didn’t have a persistent internet in my life, so I didn’t think about it, because my password was strong.

Password Strength // Source: https://xkcd.com/936/

I entered my uni and started actively use the internet. I decided to generate different passwords for all services and store them in one secure state. I started with KeePassX for Linux. After my migration from Linux to macOS X, I started to use a MacPass client for it. I synchronized encrypted state from my Mac with my android smartphone with Keepass2Android client through Dropbox.

Of course, the master password for encrypted DB is very strong and secure, 2FA is enabled for Dropbox, fingerprint unlocking is enabled on the laptop and smartphone.

How MacPass looks like // Source: https://macpassapp.org/

Some people store their passwords in the browser, sometimes it’s not good, I always generate passwords automatically with MacPass or pwgen, even temporarily.

I had a situation when I started my career as a System Engineer when I set up a Linux-server and set a simple ssh password for a client, I’ve asked a client to change this password ASAP and transferred credentials to them. But he didn’t change them and after 1 week of using this server he was hacked and I spend a few hours to find a rootkit. It was a useful lesson for me.

pwgen is a really simple and useful command-line utility

$ pwgen 32 1
AiNgohh7Va7laesohkain3aihahf8Ien

How do people generate and store passwords

Luckily, I’m not the only one who cares about the security of my passwords, many tech-savvy people use services like LastPass, 1Password, etc. But some people still store corporate passwords in messengers (usually Slack), Google Docs or the best case in text files on their local machines.

Sometimes people in the company need to share their credentials, using all the same email or messenger in plain text or even have a separate Google Sheet for it:

Hey.
Here is your credentials:
- URL: example.com/login/
- login: admin
- password: abcdefg123456

Better to send credentials separately through the encrypted services like Vault or public service like PrivateBin:

Hey.
Here is you password: https://privatebin.net/?fb1551ef40aef1be#9DAVzqe2ydqdTnqaSD5ZghQ3kp6RHFqKhrAbomyuavn
Remember link burns after reading.

Self-hosted PrivateBin in Kubernetes

Yes, you can run self-hosted PrivateBin service in your corporate network, the source code is available on GitHub.

I prepared an easy guide on how to run it in Kubernetes (as you like).

Let’s write some YAML // Source: https://twitter.com/caged/status/1039937162769096704

In my example, we will use two HELM charts: for oauth2-proxy and PrivateBin.

First, generate values file for the PrivateBin chart (we want to run PrivateBin on the privatebin.example.com domain):

cat <<EOF > privatebin.values.yaml
# All requests to the PrivateBin should go through the oauth2-proxy
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://privatebin.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://privatebin.example.com/oauth2/start?rd=https://$host$request_uri$is_args$args"
hosts:
- host: privatebin.example.com
paths:
- "/"
configs:
conf.php: |-
; An explanation of each setting can be found online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main]
name = "Company's PrivateBin"
discussion = false
opendiscussion = false
password = true # https://github.com/PrivateBin/PrivateBin/issues/527
fileupload = false
burnafterreadingselected = true
defaultformatter = "plaintext"
syntaxhighlightingtheme = "sons-of-obsidian"
sizelimit = 10485760
template = "bootstrap-page"
languageselection = false
languagedefault = "en"
qrcode = false
icon = none
httpwarning = true
compression = zlib
cspheader = "default-src 'none'; manifest-src 'self' https://accounts.google.com/; connect-src * blob:; script-src 'self' 'unsafe-eval' https://accounts.google.com/; style-src 'self'; font-src 'self' data: font/woff:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
[expire]
default = "1day"
[expire_options]
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 100
header = "X_FORWARDED_FOR"
dir = PATH "data"
[purge]
limit = 300
batchsize = 10
dir = PATH "data"
[model]
class = Filesystem
[model_options]
dir = PATH "data"
EOF

Then, get the OAuth Client ID and secret from Google console.

Prepare values for oauth2-proxy chart:

cat <<EOF > oauth2.values.yaml
config:
configFile: |-
email_domains = [ "example.com" ] # Your allowed email domains
upstreams = [ "file:///dev/null" ]
ingress:
enabled: true
path: /
hosts:
- privatebin.example.com
EOF

And finally, install the charts:

helm repo add privatebin https://privatebin.github.io/helm-chart
helm repo update
helm install stable/oauth2-proxy \
--name oauth2 \
--values oauth2.values.yaml \
--namespace privatebin \
--set=config.clientID=${YOUR_GOOGLE_ID} \
--set=config.clientSecret=${YOUR_GOOGLE_SECRET} \
--set=config.cookieSecret=$(openssl rand -base64 32 | head -c 32 | base64)
helm install privatebin/privatebin
--name privatebin \
--values privatebin.values.yaml \
--namespace privatebin
Google oauth2-proxy and self-hosted PrivateBin

Profits

  • credentials automatically expire after some time
  • we don’t use third-party service like PrivateBin
  • we use Google OAuth 2.0 as an additional security factor
  • we don’t store credentials in Slack/Google Docs/etc

Well, the hardest part

How to teach people in the company to use it:

  • develop a security culture in the company (better to add to the onboarding checklist)
  • write a detailed article with screenshots of how to use this service
  • truly, I don’t have a full answer to this question 😀, I want to hear experienced people about it

Ciao!

Amet Umerov

Written by

DevOps Engineer at preply.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade