Menu
Is it considered good practice to store passwords in a Github private repository?
[Related to, but very different from, this question]
301
In short, don't store your secrets in Git! This applies to both secrets that are hardcoded into your application (such as putting the database password directly in the source code, which should be avoided at any cost), as well as keeping configuration files with secrets alongside your source code (such as .
Encrypt the sensitive data (purpose of this reply) If you want to store your config files containing sensitive information (like passwords) in a public location then it needs to be encrypted. The files could be decrypted when recovered from the repository, or even used straight from their encrypted form.
Private repositories are intriguing because they offer security protections that public repositories don't, such as ensuring that sensitive data like passwords, SSH keys, API keys and other information isn't accidently exposed.
Never store credentials as code/config in GitHub.
I'd like to break this question into two parts:
Also, when you store credentials, encrypt them and store the key elsewhere.
93
I don't believe it's ever a good practice to store passwords anywhere else than where absolutely necessary. GitHub doesn't strike me as meeting such conditions.
40
It's certainly not 'good practice'.
Whether it's tolerable depends on your security requirements. For SCI clearance type work that ** won't fly.
For a private fun project its probably ok. But putting sensitive passwords anywhere on the cloud is probably not a good idea.
Projects that are serious about security usually don't keep plaintext passwords in their security files.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
