undefined | Better HN

0 pointspphysch2y ago0 comments

More likely: "no one has any idea what these old credentials do, so let's not touch them and potentially break everything"

0 comments

sodality22y ago

Sounds like the perfect time to revoke the credentials and find out what uses them, so we can find why they weren't registered as credentials in use. Personally I'd rather do that, have a team ready, and break production for x minutes in order to properly register auth keys.

I'd definitely consider a "silent" credential - a credential not registered centrally - to be a huge red flag. Either it could get stolen, or break and no one knows how to regenerate it. And it's pretty easy as devs to quickly generate an auth key that ends up being used permanently, without any documentation.

pphyschOP2y ago

> Personally I'd rather do that, have a team ready, and break production for x minutes in order to properly register auth keys.

Sure, but you aren't going to do all that when your team is juggling N other priorities. At least, it will be very difficult getting mgmt and others on board. Unless it's explicitly in the context of a recent breach.

sodality22y ago

Very true. Ideally the culture would be that we’re experiencing some pain now to avoid more later, so we should do it - I’d hope management was on the same page. Real world, unfortunately, often differs.

fierro2y ago

this is more plausible to me

j / k navigate · click thread line to collapse

0 comments

sodality22y ago

pphyschOP2y ago

> Personally I'd rather do that, have a team ready, and break production for x minutes in order to properly register auth keys.

sodality22y ago

fierro2y ago

this is more plausible to me

j / k navigate · click thread line to collapse