|
|
|
|
|
|
by sombremesa
1799 days ago
|
|
|
It’s not zero. Hashed passwords are still passwords and should be treated as such. “Zero” implies that hashed passwords are not passwords, since otherwise you won’t get to zero. Just because passwords are hashed doesn’t mean you can give access to them willy nilly and happily claim that “zero” people have password access. |
|
|
Agreed.
> “Zero” implies that hashed passwords are not passwords, since otherwise you won’t get to zero.
You can get to zero:
- No humans in the serving path servers' ACLs.
- Diagnostic/recovery servers for humans which require the person submit a justification that links to a ticket/bug/outage, wait for a second person to approve, perform high-level operations that affects sensitive data ("restore user from backup at timestamp T") rather than exposing direct access ("read from backup", "write live user"), and keep an audit record for later.
Everything is about trade-offs. This approach takes more engineering time to set up and if not done well can really slow down common tasks. And there are certainly reasons there might be exceptions—eg allowing the primary on-call to have unilateral access can speed recovery over waiting for a second person to be available. But zero is possible, and stories like this remind us of its value.