undefined | Better HN

0 pointsakerl_15d ago0 comments

This sounds more like a reason to automate token management than an argument for long lived tokens.

0 comments

But then you just move the security issue elsewhere with more to secure. Now we have to think about securing the automation system, too.

This is the same argument I routinely have with client id/secret and username/password for SMTP. We're not really solving any major problem here, we're just pretending it's more secure because we're calling it a secret instead of a password.

Flimm15d ago

Secrets tend to be randomly-generated tokens, chosen by the server, whereas passwords tend to be chosen by humans, easier to guess, and reused across different services and vendors.

collabs15d ago

How does this apply to ssh public keys?

1 more reply

orf15d ago

It’s like 12 lines of terraform to fully automate this, inside your existing IaC infrastructure. It’s not complex.

KetoManx6413d ago

Seems like you work in an organization with one developer. It's never just a "small configuration change" when you need to change the workflow and habits of your entire company.

1 more reply

nightpool15d ago

Why? If Sentry gets compromised, it's the exact same outcome—your Jira tickets get mined for production credentials and downloaded for random. What does automated token management save here?

How long the Jira access lasts depends on you / Sentry detecting and solving the initial intrusion. It doesn't matter how long the Jira token itself lasts if the attackers have access to the database in which its stored or log files in which its been dumped or something like that.

akerl_OP15d ago

This assumes that the intrusion is persistent until Sentry catches it, that Sentry notifies me, that I successfully track all the places I have long-lived tokens that need to be rotated, etc.

j / k navigate · click thread line to collapse

0 comments

ferngodfather15d ago

But then you just move the security issue elsewhere with more to secure. Now we have to think about securing the automation system, too.

Flimm15d ago

Secrets tend to be randomly-generated tokens, chosen by the server, whereas passwords tend to be chosen by humans, easier to guess, and reused across different services and vendors.

collabs15d ago

How does this apply to ssh public keys?

1 more reply

orf15d ago

It’s like 12 lines of terraform to fully automate this, inside your existing IaC infrastructure. It’s not complex.

KetoManx6413d ago

Seems like you work in an organization with one developer. It's never just a "small configuration change" when you need to change the workflow and habits of your entire company.

1 more reply

nightpool15d ago

Why? If Sentry gets compromised, it's the exact same outcome—your Jira tickets get mined for production credentials and downloaded for random. What does automated token management save here?

akerl_OP15d ago

This assumes that the intrusion is persistent until Sentry catches it, that Sentry notifies me, that I successfully track all the places I have long-lived tokens that need to be rotated, etc.

j / k navigate · click thread line to collapse