Password Managers
Policy
The use of a password manager is required.
Scope
This policy applies to all Lullabot employees and contractors.
Compliance
There will be more requirements for long passwords, and potentially more requirements to change them. It is expected that users will require the convenience of a password manager to manage them.
Explanation and Implementation
A password manager, like 1Password, helps store and organize your passwords. With a password manager you can manage dozens of strong and unique passwords without any need to remember every one of them. Password managers store passwords encrypted. The encrypted passwords are protected by a master password, a single, very strong password which grants the user access to their entire password database. This master password could be a phrase instead of a single word to make it longer and harder to guess.
Some password managers include a password generator that can automatically generate very strong passwords for each of your accounts. This makes it easier to create the long, complex passwords that keep your accounts safe. They can also keep track of your Two Factor Authentication Codes (2FA), making it easier to migrate to a new phone when you get one.
Many password managers make it possible to share passwords across devices, so you could store the passwords once, then use them on your computer, your tablet, and your phone. Many also include provisions to share passwords with colleagues or family members. Additionally, they often include features like 'secure notes' where you can store other information securely, like fallback passcodes for accounts that were set up using two factor authentication.
A password manager can compare the current site's URL to the stored site's URL. If the two don't match then the password manager should not automatically fill in the login fields. This would be a safeguard against visual imitations and look-alike websites. Many of the better password managers handle multi-page fill-ins, and multi-factor authentication as well.
We recommend disabling the built-in password saving features in web browsers such as those in Chrome, or Apple's Passwords app. They do not always store passwords securely with a master password or biometric authentication. As well, they can be confusing to use when 1Password is active at the same time.