Shared Passwords

Policy

Shared passwords shall be managed in a central application, where access can be monitored and passwords can be easily changed.

Scope

This policy applies to all Lullabot employees.

Compliance

  • Shared passwords will be managed using 1Password vaults.
  • Separate vaults will be created for groups of passwords that should allow access to the same group of people. Permission will then be set at the group level.
  • Shared passwords will be changed whenever employees leave Lullabot, or if there is any reason to be concerned that shared passwords may have been compromised.

    Explanation and Implementation

1Password has many advantages for managing shared passwords:

  • Provides easy access to a password manager that can be used for other passwords.
  • 1Password Business includes a free 1Password Families membership for everyone in your company. Multiple accounts make it easy to separate personal data from business data, and at the same time see everything you need on all your devices.
  • This does not change anything for non-1Password users, just where they find the shared password.
  • 1Password does not have access to our passwords.
  • The 1Password plugin works in Safari.
  • If 1Password goes offline, we can still access our vaults locally.
  • 1Password has group-based sharing permissions.
  • 1Password provides an analysis of password strength.
  • 1Password has event logging, which will show who accessed/changed a password, when, and from where.
  • Passwords are accessible with no software installation.
  • 1Password supports a variety of 2FA options.

  • Users of other password managers probably want to make a few adjustments if they want to continue using their own password manager for their personal accounts:

  • Consider using separate browsers for work and personal.

  • Consider using web-access to 1Password instead of the extension.
  • May be able to configure 1Password to not ask about saving passwords.

Recommendations for users

In your Lullabot account, do not store personal, non-Lullabot related passwords. Create a personal account and link it to the shared account.

  • This is even 1Password’s official recommendation.
  • Admins can reset and lockout Lullabot 1Password accounts. Admins ultimately can get access to its contents.
  • Termination from Lullabot will at least result in loss of access to your Lullabot account, and at most will result in irrecoverable loss of the data in that account.

results matching ""

    No results matching ""