Basically every local service is accessed via a web interface, and every interface wants a username and password. Assuming none of these services are exposed to the internet, how much effort do you put into security here?
Personally, I didn’t really think about it when I started. I make a half-assed effort at security where I don’t use “admin” or anything obvious as the username, and I use a decent-but-not-industrial password - but I started reusing the u/p as the number of services I’m running grew. I have my browsers remember the u/ps.
Should one go farther than this? And if so, what’s the threat model? Is there an easier way?
My goal is to have all my services being a reverse proxy, even on LAN, and use passwordless authentication via passkeys/webauthn. I haven’t yet tried it but have been eyeing this: https://github.com/stonith404/pocket-id?ref=selfh.st
I am very much looking for feedback on this self-proclaimed simple oidc. Authentik is not as bad as Keycloak, but from what I reckon theres still room for improvement! -fingers crossed-