Behind Closed Doors: Managing Passwords in a Dangerous World

Accepted Session
Short Form
Scheduled: Thursday, June 23, 2016 from 1:30 – 2:15pm in B202/203


A modern application has a lot of passwords and keys floating around. Encryption keys, database passwords, and API credentials; often typed in to text files and forgotten. Fortunately a new wave of tools are emerging to help manage, update, and audit these secrets. Come learn how to avoid being the next TechCrunch headline.


Secrets come in many forms, passwords, keys, tokens. All crucial for the operation of an application, but each dangerous in its own way. In the past, many of us have pasted those secrets in to a text file and moved on, but in a world of config automation and ephemeral microservices these patterns are leaving our data at greater risk than ever before.

New tools, products, and libraries are being released all the time to try to cope with this massive rise in threats, both new and old-but-ignored. This talk will cover the major types of secrets in a normal web application, how to model their security properties, what tools are best for each situation, and how to use them with major web frameworks.


security, infosec

Speaking experience

You can find recordings of my last few years of talks at including OSB 2015 (which was awesome btw :)


Leave a private comment to organizers about this proposal