Hacker News new | past | comments | ask | show | jobs | submit login

On top of this, prefer individual accounts and passwords over shared accounts.

Some services require shared passwords, keys, or tokens. Consider grouping them by sensitivity. Key to the kingdom shared accounts should be accessible only to a tiny number of people.

Finally, never send credentials over plaintext, such as email or Slack. 1Password and other password managers have a “share” feature. If need be, send a zipped and encrypted text file and share the password via a voice call.




>If need be, send a zipped and encrypted text file and share the password via a voice call.

Because people are lazy and not everyone wants to write a file, zip it, encrypt it, call someone, spell the password... Consider sending the password regularly over slack, wait a minute till the other side confirms they got it, and remove the message.

Mediocre solutions that people use are better than perfect solutions that everyone circumvents.


> never send credentials over plaintext, such as email or Slack

Slack works for us in a very small (<5) number of trusted long-time remote devs, but with two important conditions:

1. New/updated password(s) to be shared are in an encrypted Keypass file (encrypted with a preset and prearranged password that was only shared once offline). Recipient merges into their local keypass file.

2. Confirm recipient is online, send, confirm receipt, delete immediately afterwords.

We use many AWS services so obv all those are handled with AWS Secrets and IAM, so we only need to save the login pwd externally. And for services which support multi-user, Google, GitHub, etc., each user has their own pwd. So not many passwords need to be shared in the above manner. In daily use I keep KeyPass open and copy/paste passwords into the browser when needed -- nothing stored online.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: