Stop storing corporate credentials in Google Docs or Slack
--
I’ll describe basic things about how I generate and store my passwords and how to easily transfer credentials inside the company on a simple example.
How do I generate and store my personal or corporate passwords
I used to have one strong password many years ago for all my services (email, social network, and few sites), I didn’t have a persistent internet in my life, so I didn’t think about it, because my password was strong.
I entered my uni and started actively use the internet. I decided to generate different passwords for all services and store them in one secure state. I started with KeePassX for Linux. After my migration from Linux to macOS X, I started to use a MacPass client for it. I synchronized encrypted state from my Mac with my android smartphone with Keepass2Android client through Dropbox.
Of course, the master password for encrypted DB is very strong and secure, 2FA is enabled for Dropbox, fingerprint unlocking is enabled on the laptop and smartphone.
Some people store their passwords in the browser, sometimes it’s not good, I always generate passwords automatically with MacPass or pwgen, even temporarily.
I had a situation when I started my career as a System Engineer when I set up a Linux-server and set a simple ssh password for a client, I’ve asked a client to change this password ASAP and transferred credentials to them. But he didn’t change them and after 1 week of using this server he was hacked and I spend a few hours to find a rootkit. It was a useful lesson for me.
pwgen is a really simple and useful command-line utility
$ pwgen 32 1
AiNgohh7Va7laesohkain3aihahf8IenHow do people generate and store passwords
Luckily, I’m not the only one who cares about the security of my passwords, many tech-savvy people use services like LastPass, 1Password, etc. But some people still store corporate passwords in messengers (usually Slack), Google Docs or the best case in text files on their local machines.
Sometimes people in the company need to share their credentials, using all the same email or messenger in plain text or even have a separate Google Sheet for it:
Hey.
Here is your credentials:
- URL: example.com/login/
- login: admin
- password: abcdefg123456Better to send credentials separately through the encrypted services like Vault or public service like PrivateBin:
Hey.
Here is you password: https://privatebin.net/?fb1551ef40aef1be#9DAVzqe2ydqdTnqaSD5ZghQ3kp6RHFqKhrAbomyuavn
Remember link burns after reading.Self-hosted PrivateBin in Kubernetes
Yes, you can run self-hosted PrivateBin service in your corporate network, the source code is available on GitHub.
I prepared an easy guide on how to run it in Kubernetes (as you like).
In my example, we will use two HELM charts: for oauth2-proxy and PrivateBin.
First, generate values file for the PrivateBin chart (we want to run PrivateBin on the privatebin.example.com domain):
cat <<EOF > privatebin.values.yaml
# All requests to the PrivateBin should go through the oauth2-proxy
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://privatebin.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://privatebin.example.com/oauth2/start?rd=https://$host$request_uri$is_args$args"
hosts:
- host: privatebin.example.com
paths:
- "/"configs:
conf.php: |-
; An explanation of each setting can be found online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main]
name = "Company's PrivateBin"
discussion = false
opendiscussion = false
password = true # https://github.com/PrivateBin/PrivateBin/issues/527
fileupload = false
burnafterreadingselected = true
defaultformatter = "plaintext"
syntaxhighlightingtheme = "sons-of-obsidian"
sizelimit = 10485760
template = "bootstrap-page"
languageselection = false
languagedefault = "en"
qrcode = false
icon = none
httpwarning = true
compression = zlib
cspheader = "default-src 'none'; manifest-src 'self' https://accounts.google.com/; connect-src * blob:; script-src 'self' 'unsafe-eval' https://accounts.google.com/; style-src 'self'; font-src 'self' data: font/woff:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
[expire]
default = "1day"
[expire_options]
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 100
header = "X_FORWARDED_FOR"
dir = PATH "data"
[purge]
limit = 300
batchsize = 10
dir = PATH "data"
[model]
class = Filesystem
[model_options]
dir = PATH "data"
EOF
Then, get the OAuth Client ID and secret from Google console.
Prepare values for oauth2-proxy chart:
cat <<EOF > oauth2.values.yaml
config:
configFile: |-
email_domains = [ "example.com" ] # Your allowed email domains
upstreams = [ "file:///dev/null" ]ingress:
enabled: true
path: /
hosts:
- privatebin.example.com
EOF
And finally, install the charts:
helm repo add privatebin https://privatebin.github.io/helm-chart
helm repo updatehelm install stable/oauth2-proxy \
--name oauth2 \
--values oauth2.values.yaml \
--namespace privatebin \
--set=config.clientID=${YOUR_GOOGLE_ID} \
--set=config.clientSecret=${YOUR_GOOGLE_SECRET} \
--set=config.cookieSecret=$(openssl rand -base64 32 | head -c 32 | base64)helm install privatebin/privatebin
--name privatebin \
--values privatebin.values.yaml \
--namespace privatebin
Profits
- credentials automatically expire after some time
- we don’t use third-party service like PrivateBin
- we use Google OAuth 2.0 as an additional security factor
- we don’t store credentials in Slack/Google Docs/etc
Well, the hardest part
How to teach people in the company to use it:
- develop a security culture in the company (better to add to the onboarding checklist)
- write a detailed article with screenshots of how to use this service
- truly, I don’t have a full answer to this question 😀, I want to hear experienced people about it
Ciao!
