13

Is it considered good practice to store passwords in a Github private repository?

[Related to, but very different from, this question]

Community
  • 1
  • 1
julien_c
  • 4,942
  • 5
  • 39
  • 54

3 Answers3

20

I'd like to break this question into two parts:

  • Is it a good practice to store passwords in source control? No. Credentials are not versioned in the same way. For example, you should be able to change your password without releasing a new build of your software.
  • Is it a good practice to store passwords in the cloud? That's really up to your tolerance for security and reliability. In this case, you're outsourcing both to GitHub. If GitHub loses your data, do you have a backup elsewhere? If GitHub gets hacked (e.g. your private repo briefly becomes public) or if they don't securely destroy old drives, what's the impact if an unauthorized person has your credentials?

Also, when you store credentials, encrypt them and store the key elsewhere.

aingram
  • 446
  • 2
  • 9
2

It's certainly not 'good practice'.

Whether it's tolerable depends on your security requirements. For SCI clearance type work that ** won't fly.

For a private fun project its probably ok. But putting sensitive passwords anywhere on the cloud is probably not a good idea.

Projects that are serious about security usually don't keep plaintext passwords in their security files.

hvgotcodes
  • 118,147
  • 33
  • 203
  • 236
2

I don't believe it's ever a good practice to store passwords anywhere else than where absolutely necessary. GitHub doesn't strike me as meeting such conditions.

Julio Santos
  • 3,837
  • 2
  • 26
  • 47