A user's password is something I shouldn't see in a log, even if I'm in control of what gets logged and frequently access them to do my job.
Even if I trust me.
Audits happen. I assume other people will eventually see this bad practice.
A user's password is something I shouldn't see in a log, even if I'm in control of what gets logged and frequently access them to do my job.
Even if I trust me.
Audits happen. I assume other people will eventually see this bad practice.
Audits and bad practice are second-order things.
My argument is that generally everyone has access to all the logs. If you restrict the access and add guardrails around it, you can minimize the surface area and also ways it can be leaked out.
If you take a defensive approach towards, you have to assume that some secret is getting logged somewhere. The goal then becomes a way to reduce the surface area or blast radius of this possible leakage.
Limiting access helps, but if you are storing the logs on a 3rd party (e.g. DataDog, CloudWatch), you will still need to assume it can leak through that 3rd party and start rotating.