This is a short talk about the importance of good secrets, specifically things that are used to secure you systems. There are broadly two types of secrets; static and dynamic. Static secrets are things like that shared database password that is now known by everyone because it was a little hard to sort out individual access for people/services when it was first set up and now it’s too late because changing it might break stuff. Or that API key that relies on someone manually changing it when necessary so it rarely gets done. I discuss why static secrets are not really a great idea and that having the ability to use short lived credentials for authentication is crucial to keeping your stuff secure. These dynamic secrets should be generated when needed, auditable back to the individual/system that requested them and revoked when finished with. Dynamic secrets reduces the impact if credentials get leaked as they can only be used for a short amount of time.