Stop storing corporate credentials in Google Docs or Slack

I’ll describe basic things about how I generate and store my passwords and how to easily transfer credentials inside the company on a simple example.

Motherland hears // Original:

How do I generate and store my personal or corporate passwords

I used to have one strong password many years ago for all my services (email, social network, and few sites), I didn’t have a persistent internet in my life, so I didn’t think about it, because my password was strong.

Password Strength // Source:

I entered my uni and started actively use the internet. I decided to generate different passwords for all services and store them in one secure state. I started with KeePassX for Linux. After my migration from Linux to macOS X, I started to use a MacPass client for it. I synchronized encrypted state from my Mac with my android smartphone with Keepass2Android client through Dropbox.

Of course, the master password for encrypted DB is very strong and secure, 2FA is enabled for Dropbox, fingerprint unlocking is enabled on the laptop and smartphone.

How MacPass looks like // Source:

Some people store their passwords in the browser, sometimes it’s not good, I always generate passwords automatically with MacPass or pwgen, even temporarily.

I had a situation when I started my career as a System Engineer when I set up a Linux-server and set a simple ssh password for a client, I’ve asked a client to change this password ASAP and transferred credentials to them. But he didn’t change them and after 1 week of using this server he was hacked and I spend a few hours to find a rootkit. It was a useful lesson for me.

pwgen is a really simple and useful command-line utility

$ pwgen 32 1

How do people generate and store passwords

Luckily, I’m not the only one who cares about the security of my passwords, many tech-savvy people use services like LastPass, 1Password, etc. But some people still store corporate passwords in messengers (usually Slack), Google Docs or the best case in text files on their local machines.

Sometimes people in the company need to share their credentials, using all the same email or messenger in plain text or even have a separate Google Sheet for it:

Here is your credentials:
- URL:
- login: admin
- password: abcdefg123456

Better to send credentials separately through the encrypted services like Vault or public service like PrivateBin:

Here is you password:
Remember link burns after reading.

Self-hosted PrivateBin in Kubernetes

Yes, you can run self-hosted PrivateBin service in your corporate network, the source code is available on GitHub.

I prepared an easy guide on how to run it in Kubernetes (as you like).

Let’s write some YAML // Source:

In my example, we will use two HELM charts: for oauth2-proxy and PrivateBin.

First, generate values file for the PrivateBin chart (we want to run PrivateBin on the domain):

cat <<EOF > privatebin.values.yaml
# All requests to the PrivateBin should go through the oauth2-proxy
enabled: true
annotations: nginx "" "$host$request_uri$is_args$args"
- host:
- "/"
conf.php: |-
; An explanation of each setting can be found online at
name = "Company's PrivateBin"
discussion = false
opendiscussion = false
password = true #
fileupload = false
burnafterreadingselected = true
defaultformatter = "plaintext"
syntaxhighlightingtheme = "sons-of-obsidian"
sizelimit = 10485760
template = "bootstrap-page"
languageselection = false
languagedefault = "en"
qrcode = false
icon = none
httpwarning = true
compression = zlib
cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self' data: font/woff:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
default = "1day"
10min = 600
1hour = 3600
1day = 86400
1week = 604800
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
limit = 100
header = "X_FORWARDED_FOR"
dir = PATH "data"
limit = 300
batchsize = 10
dir = PATH "data"
class = Filesystem
dir = PATH "data"

Then, get the OAuth Client ID and secret from Google console.

Prepare values for oauth2-proxy chart:

cat <<EOF > oauth2.values.yaml
configFile: |-
email_domains = [ "" ] # Your allowed email domains
upstreams = [ "file:///dev/null" ]
enabled: true
path: /

And finally, install the charts:

helm repo add privatebin
helm repo update
helm install stable/oauth2-proxy \
--name oauth2 \
--values oauth2.values.yaml \
--namespace privatebin \
--set=config.clientID=${YOUR_GOOGLE_ID} \
--set=config.clientSecret=${YOUR_GOOGLE_SECRET} \
--set=config.cookieSecret=$(openssl rand -base64 32 | head -c 32 | base64)
helm install privatebin/privatebin
--name privatebin \
--values privatebin.values.yaml \
--namespace privatebin
Google oauth2-proxy and self-hosted PrivateBin


  • credentials automatically expire after some time
  • we don’t use third-party service like PrivateBin
  • we use Google OAuth 2.0 as an additional security factor
  • we don’t store credentials in Slack/Google Docs/etc

Well, the hardest part

How to teach people in the company to use it:

  • develop a security culture in the company (better to add to the onboarding checklist)
  • write a detailed article with screenshots of how to use this service
  • truly, I don’t have a full answer to this question 😀, I want to hear experienced people about it