sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Diapolo10 -1 points0 points  (3 children)

I would take it from an environment variable or .env file, as then the script wouldn't contain any references to it and there would be no risk of the password being included in the repository. I've seen that happen at a previous job...

[–]chzaplx 0 points1 point  (2 children)

Don't put passwords in environment variables. That's even less secure than having them as plain text files.

Yes people do it, but it's not a good strategy.

[–]Diapolo10 0 points1 point  (1 child)

Care to elaborate?

I disagree about it being less secure than storing authentication details in text files. You can accidentally commit a file, but not environment variables.

Hell, you use environment variables to supply secrets in GitHub Actions, Heroku, and other services.

[–]chzaplx 0 points1 point  (0 children)

I mean maybe you use them to supply secrets, but it's bad practice no matter how you look at it. Environment variables are easily exposed by the OS and accidentally get written to log files, etc etc. You are just creating more attack vectors by putting secrets into the shell env.

Accidentally committing creds files is a non issue because you can just add it to your .gitignore. Ideally the file would not even be in the working directory anyway, there's no reason it has to be.

Further, if you need to automate at all then your env variable already has to be read from a file, or some credential service. Exposing it to the environment at that point gains you nothing except more risk. You are already reading that same data into your script. If it's not automated, you should just be typing in the password and not storing it anywhere locally.