How to handle passwords in shared code

This is a general git question.  I want to share my repo with other developers but my code has a login and password in it (for's API) which I don't want them to see.  I can see a couple options:

1) Don't include the login and password in my source code.  When I build the app I manually copy/paste the login and password into the right place, compile, then remove the login and password before the next commit.

2) Setup two repos. One private repo for myself which has the login and password in the code and one for sharing.  I would manually remove the login and password whenever I needed to update the shared repo from the private one.

3) Some feature of git or sourcetree that I don't know about which hides the login and password from everyone except me.

How do others do this? Are there best practices?

1 answer

2 votes
Daniel Wester Community Champion Apr 13, 2015

Don't hard code credentials in code. From a security perspective you run into issues like you're facing. The other problem is if you need to change the credentials - do you really want to have to compile and release the code again? And what if somebody decides to copy that part of the code fragment (without realizing that the credentials are there) - now you've got to keep the the credentials up to date in 2 places (and you won't know the second location).

A better approach is to externalize these values into an external configuration. This can be as simple as a key value file. Then maintain that in a separate repository that only the people that needs to have access to.

This makes a lot of sense. Thanks.

To complete this answer, I'll point out that I've never heard of a feature built into any versioning system to that would hide usernames or passwords that are stored in text files.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Thursday in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder :  #!/bin/bash source "$(dirname "$0")/" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables ROLLBAR_ACCESS_TOKEN...

177 views 0 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you