Do I really need to keep the username for a shared user in HTTP Basic auth private?
I am developing a NestJS application that makes use of the Bullboard feature which brings a web frontend to manage jobs on a job queue inside redis (looking at which jobs are running with what job data, allowing to click a button to retry jobs etc.)
This web frontend will only be used by the developers/devops team and the testers with a shared username/password that is stored in our team password safe.
To keep the data private and avoiding script kiddies etc. from wasting our server resources by retrying jobs programmatically all the time, I implemented a HTTP basic auth where the username part is set statically in the code and the password is configured on the server via environment variable. Of course I made sure to pick a looong password with very random characters, numbers, symbols etc. I chose to make the username configurable via env var because the number of env vars our application requires is growing and growing and it's becoming harder to maintain them, requires a few extra lines of code in both the application and the terraform stack and I want to have as little code to maintain as possible as well as few steps to do during deployment as possible.
The username is very generic and does not container personal information.
In the code review, a colleague asked me to also make the username configurable via env var so that it does not remain in the code because he thinks this would be an unnecessary leakage to commit that to code (the code is held private btw). Also he said "you would also not tell anyone the first n characters of your password"
While his thoughts are understandable to me, I would still say that with a strong enough password. Also on most other web services like github, instagram etc. your username or email is usually somewhat public and it's not a problem as long as other security measures are applied to the actual secret part - the password (+MFA etc.)
How would you decide?
