When building and running software you need to maintain a lot of secrets.

As a reminder, secrets in this context means passwords, API keys, multi factor keys​, secret keys, etc.

I’ve written before about how to manage secrets, but today I want to make the point that you need to pay special attention when securing root credentials.

By root credentials I mean credentials which unlock access to other credentials or credential recovery avenues. Examples include: your AWS root account, your 1Password account, your Gmail password.

Obviously, if a root credential is compromised you’ll be up for a large amount of work to reset and recover each associated account.

Make sure you’ve:

1. Set up multi-factor authentication
2. An extremely strong password
3. Written down and stored the password and MFA recovery keys somewhere safe (like a locked filing cabinet)
4. Secured any related email accounts using these steps
5. Secured any related hardware devices including phones or hardware authentication devices, which usually means adding a PIN
6. Consider setting up related email/hardware devices so they are only accessible on a device that stays in a safe place

All of this is a pain and so I see a lot of people not doing these things.

If you follow the above checklist, you can get all this done in 15 minutes and you won’t have to worry about it.