rotate all keys/passwords regularly

[chadwhitacre]

Reticketing from gratipay/gratipay.com#2275.

We need to be in the habit of rotating all of our keys and passwords regularly, so that we can stay fresh and also be able to respond quickly to widespread vulnerabilities such as Heartbleed.

[chadwhitacre]

In addition, industry best practice recommends frequent key rotation.

https://console.aws.amazon.com/iam/home?region=us-west-2#users/emails_development

[chadwhitacre]

See discussion of key rotation at gratipay/gratipay.com#3998 (comment).

[chadwhitacre]

#606 moves us in the right direction, with a first stab at listing the different things we need to rotate, and defining a process for rotating the most important of them (our encryption keys).

[EdOverflow]

Correct me if I am wrong. These are not memorised secrets, but ones generated and then stored in a password manager (vault).

[mattbk]

You are not wrong.

[chadwhitacre]

Well, both, really.

Some less-sensitive passwords are stored in and shared through LastPass.

Our most sensitive passwords are held by Chad Whitacre.

http://inside.gratipay.com/howto/keep-secrets

[EdOverflow]

Well for passwords that are memorised NIST does not recommend changing them regularly:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.

Link: https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers

[chadwhitacre]

@EdOverflow How about for passwords that are written down on paper? :)