Oh wow, my bad. I saw 2024 as the disclosure and thought, well obviously 1Password have fixed that by now. Huh. Unflagged.
So, as someone who literally last month moved all of his .env in to 1Password and was feeling pretty, pretty smart about it: what now?
(Did that, by the way, on the advice of a comment here in response to the previous npm hack, whatever that was, where that commenter said 'you're a fool if you don't have your keys in a password manager' and so on and so forth. Security is hard?)
Put the secrets in their own vault, use a service account to access them and then follow the same rules as sudo's grace period - dedicated terminal session, run only the commands that need to be privileged and exit the session as soon as you don't need it any more
Oh wow, my bad. I saw 2024 as the disclosure and thought, well obviously 1Password have fixed that by now. Huh. Unflagged.
So, as someone who literally last month moved all of his .env in to 1Password and was feeling pretty, pretty smart about it: what now?
(Did that, by the way, on the advice of a comment here in response to the previous npm hack, whatever that was, where that commenter said 'you're a fool if you don't have your keys in a password manager' and so on and so forth. Security is hard?)
> what now?
Put the secrets in their own vault, use a service account to access them and then follow the same rules as sudo's grace period - dedicated terminal session, run only the commands that need to be privileged and exit the session as soon as you don't need it any more
I’m a solo dev. Service accounts are an enterprise feature.
I'm wrong again! See the rest of this thread.