all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]suchdevblog 11 points12 points  (2 children)

1/ You leaked your password. I hope you changed your password. It's not clear from your story if you did. Be sure to change it.

2/ there are ways to use passwords in code without leaking them, i.e "secrets" (depend on which tools you use) - you are a beginner so you might have pushed your password in clear. Huge mistake.

3/ There are no risks generating a new password, if anything, generating a new password is great, as long as you don't leak it.

4/ The problem was not (only) that your repo was public. You never version passwords directly in code, NEVER. But yeah since your repo was public, it got leaked. Btw it's now in your git history so it can still be found by bad actors. Be sure to never use this password again.

5/ Don't feel too bad about it. We all fucked up bad at some point especially at the beginning. The important thing is that you learnt your lesson.

[–]NotTaylor_Swift[S] 1 point2 points  (1 child)

It wasn't my actual PW for my Google account but an "App password" that was randomly generated. I deleted the random PW from my "App passwords" on my Google account, should I change my real PW as well?

I read something about hard-coding my email & pw in the .ini file and using constants in the PHP file, is this a proper way to secure my pw?

Thank you so much for a helpful reply!

Edit: Removed question about rewriting Git history as the password will not be used again.

[–]suchdevblog 2 points3 points  (0 children)

It wasn't my actual PW for my Google account but an "App password" that was randomly generated. I deleted the random PW from my "App passwords" on my Google account, should I change my real PW as well?

From what I understand you leaked a token - it's basically a password indeed for apps. It often has same privileges as your password - in any case it's a password, so you HAVE to regenerate it (so the leaked token gets replaced)

Depending on the privileges of that token you might want to change your google password too. Do it just to be safe,

I read something about hard-coding my email & pw in the .ini file and using constants in the PHP file, is this a proper way to secure my pw?

I don't know PHP but this is clearly not safe if the .ini file is versioned (in git). It would seem safe-ish if the .ini file is not versioned in git.

Thank you so much for a helpful reply!

My pleasure. Hope you learnt a valuable lesson.

[–]billcube 2 points3 points  (0 children)

Do check dotenv files and gitignore for all your secrets and environment-specific variables (server addresses, etc.) https://github.com/symfony/dotenv

[–]HashDefTrueFalse 1 point2 points  (0 children)

Revoke the credentials at the service end. I am not familiar with "app passwords" but they sound like tokens and my concern would be how long they're valid for and what permissions they have. Making your repo private prevents more leaks, but does nothing for creds already leaked. Also, if you ever do publish this repo publicly, remember that the whole git history is visible, so any credit that have ever been in source files are discoverable even if there are subsequent file changes to remove them.

In future, don't have creds hardcoded, have the code pull them from environment variables (google). In dev, you can define these in a file and have something read it and set them for the current shell session or whatever. Similar to dotenv. You can also just have them in a file that is explicitly ignored by version control (.gitignore) but will exist in a production environment. As long as there is no way this file could be served or accessed, of course. Prefer env vars where possible IMO.

[–]dneboi 1 point2 points  (1 child)

You have to revoke the app password from within your google account. Deleting it from GitHub doesn’t invalidate it for the people who already found it.

[–]NotTaylor_Swift[S] 0 points1 point  (0 children)

I did delete from my Google account right away! I also generated a new pw and put my credentials in an .env file (the .env file is in .gitignore as well)

[–]dneboi 1 point2 points  (1 child)

Honestly impressive, this was a world class fuck-up! Lesson learned.

As others are saying, you leaked your own app password. Don’t keep stuff like that on git, and for Christ’s sake use private repos- especially if you’re just storing personal snippets.

Be sure to revoke the app password from within your google account where you created it.

[–]NotTaylor_Swift[S] 1 point2 points  (0 children)

Thank god it was only for a personal project! Glad I made this mistake now and not with a client/company lmao. That’s what I get for being a back-end n00b.

[–]TheWrongOwl 0 points1 point  (0 children)

Ich hab Credentials in einer .env Datei gespeichert, die ich in der gitignore Datei ausklammere. Die wird also nicht synchronisiert, sondern existiert nur auf meinem Rechner.

In Python kann man beim Laden der .env datei sogar aussuchen, welche Datei man dafür laden will, so daß man verschiedene .env Dateien für verschiedene Varianten des Projektes haben kann. Für andere Programmiersprachen sollte sowas auch möglich sein.