Personal favourite <a href="https://github.com/valeriangalliat/dotfiles/blob/b227cf9b252f3c8c43a776bc20e1f1b5d0acfc13/src/ssh/id_rsa" rel="nofollow">https://github.com/valeriangalliat/dotfiles/blob/b227cf9b252...</a>
I feel like this gets posted every other month or so. I appreciate the awareness, but it doesn't seem like there's much new discussion or debate to have on the matter: folks continue to be a bit more careless with credentials than they ought to be / don't think about what pushing something to a public site means / etc, it would rock if GitHub was more proactive about messaging affected users, it sucks that it's hard to safeguard against this via technical means.<p>If anything, I'd love to see somebody do a blog post instead about how they started scraping these results and/or the commit data firehose and messaging users who posted credentials
Hmmph. I just found a bunch of free AWS keys by searching for amazon.yml, too.<p>What is the best way to share things like API keys among a team of developers, anyway? I'm surprised this hasn't been solved already (perhaps it has and I just don't know about it). I know you can share passwords with tools like LastPass and 1Password, and I suppose you could use those for API keys as well?<p>It'd be nice if you could, e.g., include a gem in a Rails project, get a single key/password/token from one of the team members on that project, and use that w/ a third party API to set all the requisite API keys for all the third party services used on a project. You could also rotate the master password when team members leave the group.
I see your SSH keys and raise you a .netrc: <a href="https://github.com/search?p=1&q=filename%3Anetrc&ref=searchresults&type=Code&utf8=" rel="nofollow">https://github.com/search?p=1&q=filename%3Anetrc&ref=searchr...</a>
You can search out private GPG keys as well, which is crazy-bananas. <a href="https://github.com/search?utf8=%E2%9C%93&q=filename%3Aasc+BEGIN+PGP+PRIVATE+KEY+BLOCK&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?utf8=%E2%9C%93&q=filename%3Aasc+BE...</a>
And if you want to get the public key also:<p><a href="https://github.com/<username>.keys" rel="nofollow">https://github.com/<username>.keys</a><p>ex.: <a href="https://github.com/avinassh.keys" rel="nofollow">https://github.com/avinassh.keys</a>
Looks like they've blocked it now. Searching via Google still works though: <a href="https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid_rsa" rel="nofollow">https://www.google.com/search?q=site%3Agithub.com+inurl%3Aid...</a>
They have blocked the search for private keys (id_rsa) but they still need to block the search for public keys (id_rsa.pub); they're usually stored together anyway. I just did this search.
This is matching both "id" and "rsa" individually as well, so not all results are actually files with id_rsa in the name.<p>Example: <a href="https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa+whatever&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa...</a>