When implementing token-based authentication, is it recommended to regenerate secrets on a periodic basis? This is assuming the tokens generated have expiration.
Asked
Active
Viewed 180 times
1 Answers
2
The general guidelines here is; access to secret keys need to be highly restricted. For example, if this is a hard-coded secret, then any time someone with access to source leaves the company, then the secrets need to be rotated. Clearly hard-coding secrets is bad practice, and if secrets were properly stored in an HSM/KSM/CloudHSM then there is less pressure to rotate. Keep in mind, Yahoo stored the keys to the kingdom has a hard-coded secret in source control, so that anyone with access to source could then hijack 32 million email accounts (slow clap for the Yahoo security engineers).
tldr; rotate if you ever have reason to believe that the secret has been compromised.
rook
- 47,238
- 10
- 96
- 182