A good option is to use Yubikeys because in case of Google Authenticator if you lost phone then you're doomed but Yubikey stores codes on hardware what's really great. Moreover, you can have several backup keys, so if you even lose one you can insert another key into any machine, phone with type C and be happy.
Good password protection can be built on top of pass & xkcdpass utils.
pass can be used as storage
xkcdpass can be used as a strong thing against computer brute force but simple for a human being to remember
True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.
I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?
The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.
I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).
I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?
I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.
Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.
For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...
Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.
Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
A good option is to use Yubikeys because in case of Google Authenticator if you lost phone then you're doomed but Yubikey stores codes on hardware what's really great. Moreover, you can have several backup keys, so if you even lose one you can insert another key into any machine, phone with type C and be happy.
Good password protection can be built on top of pass & xkcdpass utils.
True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.
I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?
I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).
I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.
Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.
For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...
Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.
Thanks mate!
Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."