Depends. Our engineering slack (Few thousand members) doesn't contain secrets for a few reasons:
- Secret scanning
- We have a /secret bot that will take your secret, store it securely, and then present a GUI for each person with access to display that secret "for just that person". And then after a set period of time it's made inaccessible, and wiped from the infra.
- Training and knowledge transfer on secret security
This has been incredibly effective. Especially the secret bot.
Turns out that the problem with people sharing secrets is just a matter of convenience. If you make a secure way convenient then everyone tends to just use it by default.
In house.