Managing Passwords and Application Secrets: Common Anti-Patterns

10 ways that development teams screw this up

Come gather ‘round all you developers, technical managers, and sys admins. Give your brainy heads a conspiratorial tilt in this direction.

A little closer. That’s better. Now, let’s talk about secrets.

No, I don’t mean that thing you do in the… with the… That’s… you really shouldn’t tell anyone about that.

No, I’m talking about the secrets you use at work and on side projects. Passwords. API keys. Database credentials. The admin dashboard password. The Redis connection string. The stuff your app needs to do its thing, but could cause quite a bit of damage if you were to, say, write them on a post-it note and leave it in this guy’s line of sight:

So, what’s the problem? Piece of cake, right?

You keep them encrypted, manage them securely, control access tightly, and rotate them on a regular basis. No one sends secrets over email or Slack. You never lose time debugging issues caused by missing or outdated config. You treat development secrets with the same care as production secrets.

All is well in the Kingdom Of Secrets.