Secret Storage Risks
Comments focus on the security risks and pitfalls of storing and managing secrets like API keys and passwords in code, memory, logs, or through methods like hashing, with debates on exposure vulnerabilities and better practices like asymmetric cryptography.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Sounds like really nice plausible deniability for whomever came up with such a blatant wrong way of storing secrets/value
I'm sure it's possible to do this securely, but in general this seems like a sure-fire way to expose your secret keys.
I'd be more concerned if you used this for actual secrets.
I've known users to type passwords in the username field. you implicitly do NOT know all secrets (e.g., a password is hashed).secrets can also churn, so even if you did your example would require something besides an in-memory array.and, the final point: what if your secret masking code fails on an exception, too ;)
sure, but it's more likely for somebody that doesn't know about this service to publish a secret than someone that is aware of it
Because the secret is never in memory, wouldn't it exactly be safe against all the attacks you mention?
You can't keep secrets in code most of the time.
"can get the original secret" is a phrase which should worry a security-conscious person
It's a good idea if you're using a secure secret or if an attacker doesn't know your exact method.
You leak your secret key to every user who can view that page.