I was going to make a suggestion about PGP or GPG or whatever, but those tools are so bad you can't expect software engineers to know how to use them... (not sarcasm)
Snark aside. What I mean here is that GPG is difficult to use and I would guess 90% of programmers don't know how to use it.
GPG works fine for me too, and is fairly straightforward (except for email encryption, since my recipients often don’t want encryption, and there is also lack of good email clients supporting encryption).
It depends on your company’s retention policy for historical messages. Otherwise, you’re basically signed in as that user, so you can see whatever they see… which can be a lot depending on the company’s transparency.
I’m aware of many companies who have moved to a 90 day message retention policy in Slack. I thought it was a cost saving measure. But I’m beginning to see the wisdom in it.
In a previous project I worked on, we used to nickname the passwords used throughout the system. The password re-use was virtually non-existent, but sometimes we forgot which system required which one (we were installing and erasing a lot of servers for testing stuff).
So, someone would ask a password to a system, we'd answer "ridiculously long one", or "the one X came up with", "variation 5".
When one of the security guys overheard what we did, and asked the details, we told what we do. The answer was "oh, that's neat!, go on".
I'm a contract worker and often times a company first onboards me to slack, then sends me a bunch of login information in plain text after opening an internal ticket to add me to various systems.
Fortunately, AWS from my example makes you set a new one after this. I'm sure there are other company-administered services with similar dynamics where the pwd change isn't required or the admin won't check that box because try are bad at their job
Start by not having a password manager that is universally adopted across the corporation.
Then maybe you've got a planned change that requires a manual operation on the production database, and you don't have the password already because it's rotated daily.
Maybe you need the agent license key for the monitoring system, so you can add it to the secrets file for the new host you're setting up.
Maybe someone created a new service and, and asked you to generate a new oauth2 client secret for it, and you need to send it to them.
Maybe it's corporate policy that every laptop must have an encrypted disk, and you've mailed a new remote worker a laptop and now need to send them the disk password by a different channel.
Maybe you occasionally need to work with some decrepit system that doesn't support single-sign-on - like a server's IPMI or some obscure bit of network equipment.
Of course there are better options than slack (which doesn't even have an off-the-record mode) but if slack is what everyone uses? Well....
Once a message is deleted there is no way to recover it, to my knowledge. But message retention in Slack is infinite. Further, sessions are infinite, at least last I set it up.
I think we set something like 1 year of retention for "public" channels, 9 months for private, and then certain channels can lower it beyond that. Same for files. And we have our tokens expire once a month.
Buttons840|3 years ago
I was going to make a suggestion about PGP or GPG or whatever, but those tools are so bad you can't expect software engineers to know how to use them... (not sarcasm)
Snark aside. What I mean here is that GPG is difficult to use and I would guess 90% of programmers don't know how to use it.
VPenkov|3 years ago
I use PGP very frequently and I'd like to know what's bad about it so I could maybe look for alternatives.
aborsy|3 years ago
rbera|3 years ago
lelandfe|3 years ago
bayindirh|3 years ago
So, someone would ask a password to a system, we'd answer "ridiculously long one", or "the one X came up with", "variation 5".
When one of the security guys overheard what we did, and asked the details, we told what we do. The answer was "oh, that's neat!, go on".
Tempest1981|3 years ago
kenjackson|3 years ago
naet|3 years ago
ajmurmann|3 years ago
Fortunately, AWS from my example makes you set a new one after this. I'm sure there are other company-administered services with similar dynamics where the pwd change isn't required or the admin won't check that box because try are bad at their job
michaelt|3 years ago
Then maybe you've got a planned change that requires a manual operation on the production database, and you don't have the password already because it's rotated daily.
Maybe you need the agent license key for the monitoring system, so you can add it to the secrets file for the new host you're setting up.
Maybe someone created a new service and, and asked you to generate a new oauth2 client secret for it, and you need to send it to them.
Maybe it's corporate policy that every laptop must have an encrypted disk, and you've mailed a new remote worker a laptop and now need to send them the disk password by a different channel.
Maybe you occasionally need to work with some decrepit system that doesn't support single-sign-on - like a server's IPMI or some obscure bit of network equipment.
Of course there are better options than slack (which doesn't even have an off-the-record mode) but if slack is what everyone uses? Well....
staticassertion|3 years ago
I think we set something like 1 year of retention for "public" channels, 9 months for private, and then certain channels can lower it beyond that. Same for files. And we have our tokens expire once a month.
The defaults for Slack are pretty insane.
tokza|3 years ago