It’s Time to Get Rid of Passwords in Our Infrastructure

passwordless infrastructure

Passwords are everywhere. Sometimes they are obvious — hardcoded in the code or laying flat in the file. Other times, they take the form of API keys, tokens, cookies or even second factors. Devs pass them in environment variables, vaults mount them on disk, teams share them over links, copy to CI/CD systems and code linters. Eventually someone leaks, intercepts or steals them. Because they pose a security risk, there is no other way to say it: passwords in our infrastructure have to go.

There are two fundamental issues with passwords.

  1. They are possible to guess and brute-force. Using random password generators only partially addresses this problem.
  2. Hackers can intercept and steal passwords well before any breach is detected. In fact, every single system or user who ever gets access to a password increases the probability of the hack. It is impossible to solve this problem. After all, a password is just a collection of characters passed as is.

In this post, I will briefly show where to find the passwords lurking in your infrastructure. I will also challenge status quo assumptions about what we consider “good enough” replacements for passwords. Bear with me for a contrarian take on some approaches we consider secure today.

Identify the passwords used in your system

I define a password as any text that can be copied and passed “as is” from a client to a service on the wire for authentication.

There are several types of passwords:

Where there are passwords, there are password aggregators

Some types of software promising to replace passwords are more dangerous than they seem, because they give you a false sense of security and reinforce the status quo. If you are using them, you haven’t replaced passwords, but created a treasure chest for hackers. These apps call themselves “Password managers” or “Vaults”. I would call them “password aggregators”.

Replacing passwords for users

I hope the above convinced you that passwords need to be replaced in your infrastructure. But beware — not everything that replaces a password is a better choice. I think that only relatively simple, purpose-built security devices that use public/private key crypto, and that verify presence and identity through biometrics, are a good-enough replacement for passwords today.

Let me explain why only this combination of simplicity, public-private key crypto and biometrics works today:

Here are some tools that — in my opinion — are worse than passwords:

What security devices should I use?

I have to admit — there aren’t many security devices on the market. We can use today:

This list is not exhaustive, and I hope more purpose-built security devices will be available soon.

Replacing passwords for services

Services are affected by the password problem just like users. Quite often you find services sending emails with passwords hardcoded. In better engineered systems, Vaults mount secrets in the folder and make it accessible to services. Take a look at Kubernetes secrets or Vault for example. I think we should consider both practices not secure enough:

Organizations should replace password managers and aggregators (vaults) using short-lived certificates. We have written about short-lived certificates extensively in our blog, and we are biased, because our product, Teleport, is a short-lived certificate system. But it’s not just because we offer certificates that we believe they’re better than passwords. We offer certificates because they actually are better than passwords.

Here is why short-lived certificates, if implemented properly, are a much better alternative to passwords:

You can also use SPIFFE and Istio today to start replacing passwords with short-lived certificates for your infrastructure. It doesn’t matter what you use for certificates, as long as you move away from passwords.

Towards a passwordless future

As an industry, we need to build responsible systems that protect user data and prevent the critical infrastructure we maintain from being used to expose or compromise such data. Removing passwords from our infrastructure is one step towards this.

Related Posts

security
 

Try Teleport today

In the cloud, self-hosted, or open source

View Developer Docs

This site uses cookies to improve service. By using this site, you agree to our use of cookies. More info.