New Page: What to do when a password or token has been accidentally exposed?

[st3fan]

What should we add to our content collections?

What to do when a password or token has been accidentally exposed?

or alternative title:

How to change (rotate?) your Aiven passwords and authentication tokens?

In the near future we will have a process in place that can notify customers when Service Passwords (passwords used for services like Postgres) or Authentication Tokens (those which you can generate in the Console to get API and or aiven-client access) have been accidentally leaked.

(Unclear if Service Passwords or Authentication Tokens is the right terminology to use?)

In the notification that we send to a customer privately we can provide enough context so that the customer can understand which Service Password or Authentication Token was exposed. And in case of a Service Password also which service it applies to.

For these notifications we would link to a dev portal page that explains what steps to take when there is a need to rotate a Service Password or Authentication Token.

Currently this is only documented for a few specific services. It would be beneficial to have a root page that links to instructions for the individual services. (If there is a need to start simple - we can find service passwords for any Aiven service although the dominant ones for which we see reports are currently MySQL and PostgreSQL.)

As part of (security) education, the root page could also contain some content about how to properly deal with passwords in your code. The Aiven Security Team can help to provide some ideas on how to better manage passwords and we could list some bad and good practices.

Is this something you would work on yourself?

No but I can help to review or edit. We can help with the good practices page if we think that is a good idea to include.

[dewan-ahmed]

Hi @st3fan thanks for raising this issue. Aiven Developer docs are related to the platform, tools, or products. "Password management best practices" sound more like a blog content (something like this) rather than evergreen content on developer documentation. Please share your thought.