Modern credential management – security tokens, password managers, and a simple spreadsheet:

– there are no "secure" or "insecure" credentials as long as you don't define your own threat model
– use password managers to actually manage (not only store) passwords
– use a spreadsheet to keep track of the rest (SSH keys, GPG keys)

@infosechandbook Why the spreadsheet? Just store your SSH keys in your password manager!


Because there are things that can't be stored in a password manager, as stated in the blog post. It is hard to store one's YubiKey or Nitrokey in a software password manager. However, these things are/contain also credentials and need to be managed.

@infosechandbook @mschuster I find storing token/key/card details in a single file is bad #security posture. backup location, what systems it has access to, if the key is a hardware token or a software one, centralizing this in an Excel file. for SSH keys, you already have some of this information in the public key file, which you can change. for GPG, there are tons of mechanisms in the gnupg client which allow you to see this information, and also store it (even for hardware tokens).

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.