profile

Tech Guidance for Non-Technical Founders

Saturday Security: Securing Your Root Credentials


When building and running software you need to maintain a lot of secrets.

As a reminder, secrets in this context means passwords, API keys, multi factor keys​, secret keys, etc.

I’ve written before about how to manage secrets, but today I want to make the point that you need to pay special attention when securing root credentials.

By root credentials I mean credentials which unlock access to other credentials or credential recovery avenues. Examples include: your AWS root account, your 1Password account, your Gmail password.

Obviously, if a root credential is compromised you’ll be up for a large amount of work to reset and recover each associated account.

Make sure you’ve:

  1. Set up multi-factor authentication
  2. An extremely strong password
  3. Written down and stored the password and MFA recovery keys somewhere safe (like a locked filing cabinet)
  4. Secured any related email accounts using these steps
  5. Secured any related hardware devices including phones or hardware authentication devices, which usually means adding a PIN
  6. Consider setting up related email/hardware devices so they are only accessible on a device that stays in a safe place

All of this is a pain and so I see a lot of people not doing these things.

If you follow the above checklist, you can get all this done in 15 minutes and you won’t have to worry about it.

Tech Guidance for Non-Technical Founders

A daily newsletter on building software products for non-technical founders. Give me two minutes a day, and I’ll help you make technical decisions with confidence.

Share this page