Secrets and accounts

Storing secrets

We store all secrets in 1Password in their appropriate vaults. No common secret may be stored exclusively elsewhere. No private secret may be stored elsewhere unless there is a technical requirement to do so.

To be clear, this means we do not use browsers' built-in password managers or Apple's Keychain.

Sharing secrets

Never share secrets unless it is end-to-end and zero-trust encrypted. That means we cannot share secrets in e-mails, Slack and so on.

Instead, always use 1Password's built-in share functionality. Generate a shareable link with the shortest reasonable expiration time, and make it readable only once.

Setting up accounts

MFA

Always set up MFA. You can save your MFA credentials in 1Password (if the MFA solution is a standard TOTP).

Personal accounts

Always set up personal accounts in your "Employee" vault in 1Password.

For personal accounts, it is OK to use apps like Google Authenticator on mobile devices instead of 1Password. Recovery codes may not be stored anywhere less secure than 1Password. Each person is responsible for never being locked out of their own accounts.

Never use Cloud Nine's 1Password organisation for private accounts used outside of work.

Shared accounts

In general, all accounts that are set up as administrative need to be shared accounts in the "Dev" vault. While this is a sub-optimal security practise because it allows any developer access, we do not want to risk losing credentials or be person-reliant during absences like holidays. Hence, all client backoffice logins are set up with common credentials, and the common developer e-mail address is provided when one is required.

Billing

All billing information needs to be automatically sent to the billing e-mail address. Configure a billing account if the platform supports it.

Sometimes a platform only supports that billing information is sent to the administrator address (e.g. Heroku). In those cases the billing e-mail might be used as the administrative account, but it is preferred to set up mail forwarding rules in the non-personal adminstrative email inbox instead.

SSH

When using SSH, it is highly recommended to use 1Password's built-in SSH agent for increased security and key loss prevention.