Sharing passwords and secret data with the people on your team securely is painful. You want to limit the passwords that a specific person has while being able to give them access to more at any point. All of the above should be shared in a completely secure manner that’s easy to use for tech and non-tech team members alike.
As we have grown our team at Codeship over the last few months and are using more and more services, we’ve started to struggle with this ourselves. There are many services that provide good user management (incidentally, we’ve just launched our organizations feature recently), but there are also many that don’t.
Some of us were already using 1Password for our personal passwords, so we decided to use it company wide. It runs on Macs and mobile devices. Some of our developers are using Linux laptops, but as all the services we use in our engineering team have great user management, they can rely on Linux native secure key management.
We created an admin 1Password vault that is shared between Moritz (our CEO), Jim (our VPE), and me (CTO here at Codeship). This vault contains usernames and passwords to the admin accounts of various services and anything we need to onboard or offboard somebody from Codeship (those accounts are additionally secured with 2FA where we can). As this vault is shared between the three of us, somebody should always be available to manage any service.
Next, we created separate vaults for each department in the company. These are encrypted and synced via Dropbox. The main passwords for those vaults are stored in the admin vault I mentioned before. Thus Jim, Mo, and I have access to all company-wide admin accounts. Obviously, our machines and mobile devices are strictly locked down.
The department vaults can then be shared easily with anyone on those specific teams, so that they have easy access to everything they need. Additionally, we now have a secure way to transfer small pieces of data between people in one department; they can just add the data to their department vault, get it synced, and remove it after it was shared. This removes any need for sharing anything through unencrypted channels like Slack.
To have a really secure system, we need to make sure the main passwords that everyone uses are strong. This mostly comes down to proper education and following up with people regularly. In the next section, I’ll explain our strategy for creating good and secure passwords that people can remember easily. This is taken directly from our internal wiki, so you should be able to copy it verbatim and use it internally if you like.
Creating a Good controller Password
A good controller password should be random while at the same time memorable. Passwords selected by humans are typically very easy to crack automatically; humans limit their selection of words and characters to make a password easier to remember.
And even adding a special character here or there doesn’t solve that necessarily. To counter this, randomly select words by throwing dice and then connect those words with special characters. You can this method to create a complex controller password that you can then use in connection with 1Password.
1Password helps you manage your passwords so you only need to remember one strong controller password. You can still have unique and very strong passwords for each service you use, of course. 1Password stores all of your passwords in encrypted vaults. You will have a main vault and create or import additional vaults (which you can use for storing team specific passwords).
Download 1Password from Agilebits download page and take a look at their Getting Started guide.
How to create a strong controller password
Diceware is a great tool for creating strong, random controller passwords. It’s a list of around 7,500 preselected words. Pick five of these words by rolling the dice multiple times. Let’s walk through how to set up a controller password using Diceware.
Note: Don’t use fewer than five words. It makes brute forcing the password far too easy. More words are always better.
Get some dice or go to https://www.random.org/dice/?num=1
Look at the Diceware list: http://world.std.com/~reinhold/diceware.wordlist.asc
Roll the dice five times and write down the numbers (e.g., 61353).
Look through the list to find the word associated with that dice roll (e.g., if you rolled 61353, the word would be “today”).
Roll the dice 25 times to get five words. Don’t throw out any of the words that were selected by random. If you use some but not others, you’re again limiting the choice of words which makes the password much easier to crack.
Put the words together and have either whitespace or special characters in between each word.
If you feel you might forget the password, write the password on a piece of paper by hand (do not print from your laptop or store on any electronic device) and store it somewhere safe in your home where you can get to it. If you forget your password, you will not be able to log into your 1Password again. This strong password is to keep your digital data secure. The chance of somebody discovering/stealing your password paper and using it to break your accounts is very low if you keep it well stored at home.
EXAMPLE controller PASSWORD:
Dice rolls: 14364 23346 61556 34523 21322
Five words: blonde dove tram jl comet
Capitalization: Blonde Dove Tram Jl Comet
Special characters/numbers: Blonde@Dove2Tram*Jl%Comet
This method will give you a password where you should be able to remember the five main words easily, and the four special characters/numbers are then not a large hurdle. You don’t have to capitalize the first letter, or you can also capitalize the last one or capitalize every second letter, if you’d like other options.
As security is very important for us at Codeship, we need to make sure we keep access to internal services secure. At the same time, access and sharing need to be easy so as not to create incentives to circumvent the secure system in any way.
With our new 1Password-based system, we’ve got a great new strategy in place that will allow us to grow our respective teams while keeping our customers’ data secure.
I hope sharing this with you helps with some of the pain of managing your own passwords that every team, and especially every startup, deals with. If you have other strategies, please let us know in the comments.
Bruce Schneier on passwords