undefined | Better HN

0 pointssersi5mo ago0 comments

If both password and MFA are stored in the same shared vault then MFA's purpose is compromised. Anyone getting access to that shared vault has the full keys to the kingdom the same as if MFA wasn't enabled.

Also in this day and age, there's no reason to have the root account creds in a shared vault, no-one should ever need to access the root account, everyone should have IAM accounts with only the necessary permissions.

0 comments

blibble5mo ago

> If both password and MFA are stored in the same shared vault then MFA's purpose is compromised. Anyone getting access to that shared vault has the full keys to the kingdom the same as if MFA wasn't enabled.

absolutely

> no-one should ever need to access the root account

someone has to be able to access it (rarely)

if you're a micro-org having three people with the ability to get it doesn't seem that bad

everything else they did is however terrible practice

j / k navigate · click thread line to collapse