best practice for keeping login/password details within issue description/comments

Sometimes you need to use regular issues' fields like description or comments to store the password and any other fragile data. What would be your best choice to do this?

4 comments

Comment

Well you can use Issue based security to limit those who can see these issues. But this will require discipline from your side.

I think best option would be to use external password storage. And put the link to the storage in comment. When anyone clicks on it he will authenticate himself and will get a password. Something like keepass.

Like • like this

It's not a good practice to include any credentials in plain text anywhere, even with special security settings.

BitWarden and 1Password also both offer very nice secure sending of creds outside your org.

Like • Rafal likes this

Agree, you should never store any passwords or sensitive information in an application that is not meant for that purpose and designed to secure it properly.

Personally I use LastPass and then notate how the password is stored in the ticket. We do not even transmit that type of information via a ticket as it is not easily removed or cleaned from the system, risk is too high for it to be retrieved without authorization, etc.

Like • like this

Agreed all around. Links to something secure with access control. KeePass and lastpass are great.

As an alternative, A web link to a box/dropbox/onedrive file is dramatically less secure than the above, but at least you would have 2FA and better permissions control. I don't recommend this, but it's still better than plaintext in jira that you could literally search instance wide in seconds.