Stop storing corporate credentials in Google Docs or Slack

I’ll describe basic things about how I generate and store my passwords and how to easily transfer credentials inside the company on a simple example.

Image for post
Image for post
Motherland hears // Original:

How do I generate and store my personal or corporate passwords

I used to have one strong password many years ago for all my services (email, social network, and few sites), I didn’t have a persistent internet in my life, so I didn’t think about it, because my password was strong.

Image for post
Image for post
Password Strength // Source:
Image for post
Image for post
How MacPass looks like // Source:
$ pwgen 32 1

How do people generate and store passwords

Luckily, I’m not the only one who cares about the security of my passwords, many tech-savvy people use services like LastPass, 1Password, etc. But some people still store corporate passwords in messengers (usually Slack), Google Docs or the best case in text files on their local machines.

Here is your credentials:
- URL:
- login: admin
- password: abcdefg123456
Here is you password:
Remember link burns after reading.

Self-hosted PrivateBin in Kubernetes

Yes, you can run self-hosted PrivateBin service in your corporate network, the source code is available on GitHub.

Image for post
Image for post
Let’s write some YAML // Source:
cat <<EOF > privatebin.values.yaml
# All requests to the PrivateBin should go through the oauth2-proxy
enabled: true
annotations: nginx "" "$host$request_uri$is_args$args"
- host:
- "/"
conf.php: |-
; An explanation of each setting can be found online at
name = "Company's PrivateBin"
discussion = false
opendiscussion = false
password = true #
fileupload = false
burnafterreadingselected = true
defaultformatter = "plaintext"
syntaxhighlightingtheme = "sons-of-obsidian"
sizelimit = 10485760
template = "bootstrap-page"
languageselection = false
languagedefault = "en"
qrcode = false
icon = none
httpwarning = true
compression = zlib
cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self' data: font/woff:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
default = "1day"
10min = 600
1hour = 3600
1day = 86400
1week = 604800
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
limit = 100
header = "X_FORWARDED_FOR"
dir = PATH "data"
limit = 300
batchsize = 10
dir = PATH "data"
class = Filesystem
dir = PATH "data"
cat <<EOF > oauth2.values.yaml
configFile: |-
email_domains = [ "" ] # Your allowed email domains
upstreams = [ "file:///dev/null" ]
enabled: true
path: /
helm repo add privatebin
helm repo update
helm install stable/oauth2-proxy \
--name oauth2 \
--values oauth2.values.yaml \
--namespace privatebin \
--set=config.clientID=${YOUR_GOOGLE_ID} \
--set=config.clientSecret=${YOUR_GOOGLE_SECRET} \
--set=config.cookieSecret=$(openssl rand -base64 32 | head -c 32 | base64)
helm install privatebin/privatebin
--name privatebin \
--values privatebin.values.yaml \
--namespace privatebin
Image for post
Image for post
Image for post
Image for post
Google oauth2-proxy and self-hosted PrivateBin


  • credentials automatically expire after some time
  • we don’t use third-party service like PrivateBin
  • we use Google OAuth 2.0 as an additional security factor
  • we don’t store credentials in Slack/Google Docs/etc

Well, the hardest part

How to teach people in the company to use it:

  • write a detailed article with screenshots of how to use this service
  • truly, I don’t have a full answer to this question 😀, I want to hear experienced people about it

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store