@svpino: Back in 2010, we could get away with SSH keys and API tokens in .env files. We can't do that anymore. I went down a rab…
Summary
The post argues that static credentials like SSH keys and API tokens are no longer sufficient, and identity-based access is a better alternative.
View Cached Full Text
Cached at: 05/14/26, 04:41 PM
Back in 2010, we could get away with SSH keys and API tokens in .env files.
We can’t do that anymore.
I went down a rabbit hole to understand how identity-based access is much better (and it’s replacing) static credentials. https://t.co/aFCpgEeW9s
Similar Articles
@dreamsofcode_io: Really good time to consider putting your SSH Keys on a hardware security key, such as a Yubikey.
A tweet recommends using hardware security keys like Yubikey for SSH keys, referencing an active cross-ecosystem supply chain attack (TrapDoor) on npm, PyPI, and Crates.io involving malicious packages and crypto-stealing malware.
@sdrzn: 1/ Using rules like "don't read .env" are not reliable to protect your keys since models many times ignore one-off inst…
Discusses the unreliability of instructing AI models to avoid reading .env files and introduces Cline plugins as a solution to hook into the agent lifecycle with TypeScript.
The Vercel breach: OAuth attack exposes risk in platform environment variables
A June 2024 intrusion disclosed in April 2026 saw attackers abuse a compromised third-party OAuth app to access Vercel’s internals and expose customer environment variables, spotlighting OAuth supply-chain risks and platform secret-handling flaws.
Some secret management belongs in your HTTP proxy
Blog post proposes offloading API-key injection to an internal HTTP proxy so apps and agents never see secrets, easing rotation and reducing exfiltration risk.
Passwords suck. Can passkeys replace them?
Discusses the potential of passkeys to replace passwords as a more secure authentication method.