Stop storing corporate credentials in Google Docs or Slack

I’ll describe basic things about how I generate and store my passwords and how to easily transfer credentials inside the company on a simple example.

Image for post
Image for post
Motherland hears // Original: http://vasya-lozhkin.ru/pictures/rodina-slyshit/

How do I generate and store my personal or corporate passwords

I used to have one strong password many years ago for all my services (email, social network, and few sites), I didn’t have a persistent internet in my life, so I didn’t think about it, because my password was strong.

Image for post
Image for post
Password Strength // Source: https://xkcd.com/936/
Image for post
Image for post
How MacPass looks like // Source: https://macpassapp.org/
$ pwgen 32 1
AiNgohh7Va7laesohkain3aihahf8Ien

How do people generate and store passwords

Luckily, I’m not the only one who cares about the security of my passwords, many tech-savvy people use services like LastPass, 1Password, etc. But some people still store corporate passwords in messengers (usually Slack), Google Docs or the best case in text files on their local machines.

Hey.
Here is your credentials:
- URL: example.com/login/
- login: admin
- password: abcdefg123456
Hey.
Here is you password: https://privatebin.net/?fb1551ef40aef1be#9DAVzqe2ydqdTnqaSD5ZghQ3kp6RHFqKhrAbomyuavn
Remember link burns after reading.

Self-hosted PrivateBin in Kubernetes

Yes, you can run self-hosted PrivateBin service in your corporate network, the source code is available on GitHub.

Image for post
Image for post
Let’s write some YAML // Source: https://twitter.com/caged/status/1039937162769096704
cat <<EOF > privatebin.values.yaml
# All requests to the PrivateBin should go through the oauth2-proxy
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://privatebin.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://privatebin.example.com/oauth2/start?rd=https://$host$request_uri$is_args$args"
hosts:
- host: privatebin.example.com
paths:
- "/"
configs:
conf.php: |-
; An explanation of each setting can be found online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main]
name = "Company's PrivateBin"
discussion = false
opendiscussion = false
password = true # https://github.com/PrivateBin/PrivateBin/issues/527
fileupload = false
burnafterreadingselected = true
defaultformatter = "plaintext"
syntaxhighlightingtheme = "sons-of-obsidian"
sizelimit = 10485760
template = "bootstrap-page"
languageselection = false
languagedefault = "en"
qrcode = false
icon = none
httpwarning = true
compression = zlib
cspheader = "default-src 'none'; manifest-src 'self' https://accounts.google.com/; connect-src * blob:; script-src 'self' 'unsafe-eval' https://accounts.google.com/; style-src 'self'; font-src 'self' data: font/woff:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
[expire]
default = "1day"
[expire_options]
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 100
header = "X_FORWARDED_FOR"
dir = PATH "data"
[purge]
limit = 300
batchsize = 10
dir = PATH "data"
[model]
class = Filesystem
[model_options]
dir = PATH "data"
EOF
cat <<EOF > oauth2.values.yaml
config:
configFile: |-
email_domains = [ "example.com" ] # Your allowed email domains
upstreams = [ "file:///dev/null" ]
ingress:
enabled: true
path: /
hosts:
- privatebin.example.com
EOF
helm repo add privatebin https://privatebin.github.io/helm-chart
helm repo update
helm install stable/oauth2-proxy \
--name oauth2 \
--values oauth2.values.yaml \
--namespace privatebin \
--set=config.clientID=${YOUR_GOOGLE_ID} \
--set=config.clientSecret=${YOUR_GOOGLE_SECRET} \
--set=config.cookieSecret=$(openssl rand -base64 32 | head -c 32 | base64)
helm install privatebin/privatebin
--name privatebin \
--values privatebin.values.yaml \
--namespace privatebin
Image for post
Image for post
Image for post
Image for post
Google oauth2-proxy and self-hosted PrivateBin

Profits

  • credentials automatically expire after some time
  • we don’t use third-party service like PrivateBin
  • we use Google OAuth 2.0 as an additional security factor
  • we don’t store credentials in Slack/Google Docs/etc

Well, the hardest part

How to teach people in the company to use it:

  • write a detailed article with screenshots of how to use this service
  • truly, I don’t have a full answer to this question 😀, I want to hear experienced people about it

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store