Password Guidance

Question

Password Guidance

Steve Jones - SSC Editor

SSC Guru

Points: 738683
More actions
September 10, 2025 at 12:00 am

#4644714

Comments posted to this topic are about the item Password Guidance

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply

David.Poole SSC Guru Points: 76197 More actions · Answer 1

My company uses BitWarden as a central password manager. This can generate random, strong passwords or pass phrases of whatever length or complexity is required.

We have personal vaults and company vaults. The company vault has areas that have break-glass access and others that are locked down to a handful of individuals.

BitWarden entries can also include attachments such as public/private key pairs. It also allows the use of TOTP tokens to provide MFA.

The advantage of this is that we don't need a plethora of authenticator apps installed on personal devices. People who leave the company lose access to the company's BitWarden.

For some systems, we generate a public/private key using Terraform. We use SnowflakeDB, so when a service user is created, the public key is attached to the user and the private key gets stored as a secret wherever it is needed. If the service user is for a CICD pipeline in GitHub, then this would be stored as a GitHub organisational secret. Human interaction is unnecessary, and knowledge of those keys is not needed.

If we have other service users, then, temporarily, we will have Terraform write the key to files and store those files as attachments in BitWarden.

We have security scanning to make sure that keys and cloud credentials are not stored in GitHub. We have .gitignore entries for most of that as a 1st line of defence.

Snowflake also encourages us to use passkeys. I need to learn a lot more about these, though I have been told they are more secure than MFA.

We use OIDC to allow systems external to our AWS infrastructure to authenticate by assuming an AWS IAM role. That role has strict IAM policies on who or what is allowed to assume that role. An example where this is used is where a specific GCP Cloud Function wants to send a message to an AWS SQS Queue Topic supporting centralised alerting.

LinkedIn Profile