Password Managers

Policy

The use of a password manager is strongly encouraged.

Scope

This policy applies to all Lullabot employees and contractors.

Compliance

There will be more requirements for long passwords, and potentially more requirements to change them. It is expected that users will require the convenience of a password manager to manage them.

Explanation and Implementation

A password manager, like 1Password, helps store and organize your passwords. With a password manager you can manage dozens of strong and unique passwords without any need to remember every one of them. Password managers store passwords encrypted. The encrypted passwords are protected by a master password, a single, very strong password which grants the user access to their entire password database. This master password could be a phrase instead of a single word to make it longer and harder to guess.

Some password managers include a password generator that can automatically generate very strong passwords for each of your accounts. This makes it easier to create the long, complex passwords that keep your accounts safe.

Many password managers make it possible to share passwords across devices, so you could store the passwords once, then use them on your computer, your tablet, and your phone. Many also include provisions to share passwords with colleagues or family members. Additionally, they often include features like 'secure notes' where you can store other information securely, like fallback passcodes for accounts that were set up using two factor authentication.

A password manager can compare the current site's URL to the stored site's URL. If the two don't match then the password manager should not automatically fill in the login fields. This would be a safeguard against visual imitations and look-alike websites. Many of the better password managers handle multi-page fill-ins, and multi-factor authentication as well.

In contrast to password managers, there are more simple password syncing services built into most common web browsers, like iCloud keychain and Chrome's built-in password management. These services store passwords, and may sync them across devices, but they're browser-specific, and they don't have additional features like password generators. In fact, if you are using a password manager, you don't need password syncing, and you could disable these services and delete their stored passwords to avoid potential confusion from having multiple services storing passwords and trying to auto-populate your password fields.