• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 72000 (72k) monthly views (unique) and 272000 clicks per month, as per Google Analytics! Thank you for your support! 🎉

Are Long-Lasting Passwords a Security Risk for Hosting Providers?

johny899

Member
Content Writer
Messages
1,068
Reaction score
3
Points
43
Balance
$121.0USD
Do you remember logging into a hosting account where your password or API key had remained the same for multiple years? For some this may seem like a benefit, but it is actually a dangerous situation because it presents a greater risk than value. Having long-term access codes (passwords or API tokens) is similar to having a spare house key left outside for anybody to take. So, should hosting providers stop using long-term psswords?

Security Issues With Long-Term Access Credentials​

When I was setting up servers I would come across instances in which an old API token would continue to grant server access. This is good for the hacker. With an old API key you have an ongoing path to attack a server.

Specific Reasons Long-Term Credentials Create Problems Include​

  • They never expire, so if stolen, they remain functional.
  • Most people forget about older keys and do not monitor their status.
  • Very few people actually change after the expiration period of a given policy.

Discontinuing Long Term Credentials​

For myself, I prefer to use temporary credentials. I feel that using temporary access tokens on projects is much more secure.

My options for temporary access tokens are:
  • Temporary tokens that automatically expire
  • Grant access only when needed for admins
  • Limit user permissions to minimize any possible effect of credential theft
If someone were to obtain access to the system, the damage would be minimal. However, it is not easy to prohibit long-term credentials.

But A Full Ban Is Possible?​

The reality is that older systems do not always support today's security standards. It took a lot of time and effort for me to correct the issues with automation tools when I removed static passwords.

Some of the common reasons for not successfully transitioning from long-term credentials to short-term credentials include:
  • Some older programs are not able to accommodate new login options
  • Teams are not fond of the additional steps involved with configuring and securing login credentials
  • Many of the tools that are used to manage login credentials can create a frustrating experience for users when their credentials are changed
Security is important, but teams require assistance to be able to adapt to this change.

Closing Remark​

From my perspective, I would recommend to hosting companies that they implement a default prohibition on long-term credentials but not to do this abruptly. They should provide users with the best tools and the best amount of time possible to securely transition to short-term credentialing.
 
You must log in or register to reply here.
Menu
Log in
Register