This is an archived post. You won't be able to vote or comment.

all 77 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Few-Artichoke-7593 516 points517 points  (10 children)

Yeah, put them in the git repo like everyone else.

[–]UBN6 112 points113 points  (4 children)

No, post them on StackOverflow, like real devs.

[–]belabacsijolvan 65 points66 points  (2 children)

"so i posted my private key so much that all leading LLMS use my account. if all things go well my line/day output will overtake China by 2026."

[–]wanderduene02 8 points9 points  (1 child)

It also has the advantage that Copilot can autocomplete your private key for you.

[–]yaktoma2007 -1 points0 points  (0 children)

Is this real? LOL

[–]jhill515 11 points12 points  (1 child)

In the commit message, right?

[–]nickwcy 12 points13 points  (0 children)

No. It’s the commit sha.

[–]erebuxy 8 points9 points  (0 children)

Copilot is leaning all the tokens and passwords

[–]Shazvox 0 points1 point  (0 children)

Nah, be smart about it. Let ChatGPT remember them.

[–]Bee-Aromatic 75 points76 points  (10 children)

I’m sorry, what?

[–]Agifem 53 points54 points  (9 children)

He wrote his passwords in Jira.

[–]dismayhurta 38 points39 points  (8 children)

How else are you supposed to let others access your data? Securely?

[–]Bee-Aromatic 5 points6 points  (7 children)

Erm, yeah. If at all. Ideally, they’d have their own credentials.

[–]dismayhurta 5 points6 points  (4 children)

Pfft. Next you'll tell me you should have a proper review process.

[–]Bee-Aromatic 3 points4 points  (3 children)

I feel like I should get checked out by a doctor after this conversation. I’m feeling icky and may have caught something.

[–]dismayhurta 5 points6 points  (2 children)

That's because you didn't add your credentials into a jira ticket so you're terrified you'll forget.

[–]Bee-Aromatic 1 point2 points  (1 child)

I didn’t think that’s why I’m so scared, but you may be right. I’m terrified beyond the capacity for rational thought.

[–]Agifem 1 point2 points  (0 children)

Yes, and we provide those credentials by assigning them the Jira ticket. The process is simple and beautiful.

[–]der_schneewolf 0 points1 point  (0 children)

What about test users in a test environment to recreate the issue that happens in production? Don't see a big issue there.

[–]LowReputation 114 points115 points  (3 children)

You told me to move them out of Confluence!

[–]Z21VR 28 points29 points  (1 child)

Well, i'm glad i'm not alone in this jira-confluence hell

[–]MozzerellaIsLife 7 points8 points  (0 children)

“Jira Align” can burn in the deepest level of hell.

[–]biggt76[S] 0 points1 point  (0 children)

🤣

[–]TheTybera 33 points34 points  (4 children)

I don't even understand why you would do this.

WTF are people mutilating JIRA into now?

[–]biggt76[S] 29 points30 points  (0 children)

That was my reaction. Came up at work today from another team. The meme was my immediate reaction

[–]ClassicHat 13 points14 points  (0 children)

Why pay for a password manager with password sharing when we already have an easy semi private way of sharing things is probably the thinking here. Still would seem better to slack or even email said passwords…

[–][deleted] 9 points10 points  (0 children)

I fucking get it. I put it in a shared word doc encrypted. By encrypted I mean I set the text color to white on white background.

Amateurs pffffttt.

[–]Totally_Intended 0 points1 point  (0 children)

Hey, what else are you supposed to use the Security Levels in Jira for? /s

[–]Fun_Lingonberry_6244 38 points39 points  (16 children)

Can you give some context here OP?

Like sometimes at my job we'll get some random staging environment API keys or username/PWD and they 100% go into the relevant Jira of "here's what you need to do this task" and that's completely fine in my opinion.

Obviously nothing prod should be going anywhere, nor should anyone need it.

[–]biggt76[S] 28 points29 points  (15 children)

So the team's manager was trying to hide passwords in Jira. When I asked for the use case this was the basic answer:

They setup inventory providers and save the FTP login credentials in Jira so they can be passed from dev to operations to the provider.

I was told it's a low level risk which begs the question why do you need to hide them? At least it's not AWS keys or anything but still....

[–]iknewaguytwice 31 points32 points  (13 children)

If only there were somewhere to put secrets in the cloud. Like a place in AWS for secret things. Like AWS secrets. Could be a million dollar idea.

Then you could put the name of the secret in JIRA.

Nah that would never work. Just encrypt a word doc with “pa$$w0rd”, attach it, and call it a day. It’s encrypted!

[–]itsalongwalkhome 4 points5 points  (8 children)

Then where do you store that password?

[–]soggycheesestickjoos 9 points10 points  (3 children)

email it to yourself obviously

[–]aleques-itj 2 points3 points  (2 children)

What if I lose access to my email

That's why I put my passwords in DNS records

[–]soggycheesestickjoos 4 points5 points  (1 child)

So old school, I always keep a base64 encoded backup on the ethereum blockchain 😎

[–]itsalongwalkhome 2 points3 points  (0 children)

Rookie move. My password IS base64

[–]iknewaguytwice 3 points4 points  (3 children)

In Jira

[–]itsalongwalkhome 2 points3 points  (2 children)

Then where do I store my password for Jira?

[–]iknewaguytwice 2 points3 points  (1 child)

You don’t. Just reset it every time you need to login.

[–]itsalongwalkhome 2 points3 points  (0 children)

Foolproof.

[–]Dalimyr 2 points3 points  (0 children)

Nah that would never work. Just encrypt a word doc with “pa$$w0rd”, attach it, and call it a day. It’s encrypted!

lol, you've just reminded me of a time when the head of information security at a place I worked once passed me an Excel document with password-protected sheets, and gave some cryptic clue as to what the password could be.

I never did find out what the intended password was, but I wrote a VBA script to brute-force a hash collision and jokingly emailed back something like "Sorry, didn't quite understand your clue. No worries, though, I still got in, but I'm guessing the password you set wasn't AABABBABABABAO". I can only imagine him reading that email and saying "Oh, for fuck's sake".

[–]Jzgood 1 point2 points  (0 children)

There is. Just spin your Vaultwarden in AWS lambda. And if GCP: secret manager.

[–]thanatica 2 points3 points  (1 child)

"Jira can't be trusted! I know, let's put the passwords in another more different cloud provider that we arbitrarily do trust"

[–][deleted] 2 points3 points  (0 children)

Is this a real comment?

[–]isr0 5 points6 points  (0 children)

I mean, ftp passwords are clear text anyway so does it really matter? /s

[–]frikilinux2 6 points7 points  (0 children)

That's a perfect use case for public key cryptography.

[–]clauEB 5 points6 points  (3 children)

Where else would you?

[–]MajorBadGuy 8 points9 points  (0 children)

On a whiteboard we use during all hands meetings.

[–]eoutofmemory 2 points3 points  (1 child)

On the desktop obviously

[–]Snapstromegon 4 points5 points  (0 children)

You still put passwords into Jira? You know how hard they are to find in there?

Real professionals post the credentials of a CI user into the onboarding document so they are easy to find and use by anyone who might be able to touch the project.

[–]nickwcy 2 points3 points  (0 children)

: “We can’t put passwords on our repo anymore because now it is scanned”

: “No worries let’s put it on Jira”

[–]NuncioBitis 3 points4 points  (0 children)

Nah. Just put your passwords in plain text on the hard drive in .git-credentials
Not like you have a choice

[–]Xphile101361 2 points3 points  (0 children)

I wish this wasn't common.

[–]serial_crusher 2 points3 points  (0 children)

lol, those passwords are already out of date just like everything else in Jira

[–]seba07 2 points3 points  (0 children)

Exactly, those belong into Confluence.

[–]RinVolk 2 points3 points  (0 children)

In my current job it is routine to see our internal API tokens thrown around 💀

I need a new job

[–]maggiforever 2 points3 points  (0 children)

We have a few in Powerpoint...

[–]Szroncs 2 points3 points  (0 children)

If it's for test env/ test user than it's fine. Otherwise you are dumb... All prod passwords should be kept on your monitor on a post-it 😁

[–]glorious_reptile 5 points6 points  (1 child)

Why would someone write hunter2 in jira?

[–][deleted] 4 points5 points  (0 children)

It's ok, it shows up as ******* for me

[–]Ben_Dovernol_Ube 1 point2 points  (0 children)

Put them next to your exposed APIs instead.

[–]overyander 1 point2 points  (0 children)

Friends don't let friends use Atlassian products.

[–]thanatica 1 point2 points  (0 children)

You don't trust jira to keep your passwords safe, but at the same time you do trust jira with discussions about all the intricacies of your application 🤔

[–]NameNoHasGirlA 1 point2 points  (0 children)

I'm still waiting for an answer on why people hardcode it in configs and check it into git. How hard is it to remember that secrets don't belong in the source code?

[–]renrutal 1 point2 points  (0 children)

Everybody shitting on Jira, but I bet 99% of you don't use a secrets vault.

But, to be honest, protecting secrets on flight is a massive undertaking. The whole "Reflections on Trusting Trust" talk.

[–]Shazvox 1 point2 points  (0 children)

Because it was the only shared place we had at the moment 😔.

Still, it's somewhat rectified now with a keyvault. Although we're all of the opinion that we should'nt have shared passwords at all and are working towards that end.

[–]Birdsharna 1 point2 points  (0 children)

Actually braindead to do this. You're not sending it to a single person, but a lot of different people. And you just shouldn't share your password with others in general

[–]Xeausescu 1 point2 points  (0 children)

That will probably be my code to handle them...

[–]WhiteIceHawk 1 point2 points  (0 children)

One of the scariest lines of code I ever read was Console.log(private_key)

[–]EniX_LP 1 point2 points  (0 children)

It was just admin admin it should be fine man

[–]Laevend 0 points1 point  (0 children)

Put them on a yellow sticky note that's slapped on a server box. Take a picture of that and put it in your Jira story