Maintainers -

Open energy transition password policy

1. A note about password security

Securely storing your OET-related passwords is essential to our maintaining organizational security. This policy serves not only as a Q&A about password management, but also to state the requirement to use 1Password, our vetted password management platform, to store all OET-related passwords. This applies whether or not you will be sharing logins and notes with teammates.

We understand that you may already have a personal password manager in place, but for ISO requirements, and because it's more administratively simple and secure, OET requires the use of 1Pass. Of course, in your personal capacity, you may use whichever password manager you wish.

If you already use 1Pass for your personal login credentials, you can create a separate account just for OET credentials, using your OET email address. This allows you to log into both simultaneously.

2. About 1Password

1Password is trusted by major organizations including GitLab, IBM, Slack, salesforce, and Canva. The company has over 150,000 clients, and is the most-used enterprise password manager.

The platform integrates an admin dashboard, through which OET can manage secure password sharing vaults, for specific teams. It also integrates many modern security standards, including FIDO2 and SSO. Finally, 1Password vaults use end-to-end 256-bit encryption.

For more information, you can visit their website here: https://1password.com.

And for info about password sharing in 1Password, you can go here: https://1password.com/features/secure-password-sharing.

3. Setup & process for storing OET passwords

A. Activate your account

Quintin will send you an invitation email to set up your OET 1Pass account (please click it within 2 days, before it expires)
Choose a secure Master Password that you can remember
Store your account backup information securely (definitely not inside your password manager, and ideally not on a device on which you use the platform)

B. Set up 2FA

2FA is mandatory, and you will be able to enable it in the settings of your password manager
Please select a secure, trusted 2FA app, and follow the setup steps to enable it (recommendations are Google Authenticator and Microsoft Authenticator)
You may be asked during future logins for your 2FA code, so that the app can verify it is you who is logging in
Any any time, you can easily switch to a different 2FA app. Just remember to activate the new one before removing your password manager from the old one
If you wish, you may save a device as trusted in your password manager
You may also use a Yubikey or similar device, if you want to. However, these are not provided by OET

C. Install the apps

You can install of 1Password's official apps (desktop, mobile, browser-based) that you like, from here
You will need to use your full account details to log in for each new device you use. Please keep track of which devices you're logged in on
If there is a login from a brand new device, you will likely be emailed, after which you can make sure it was indeed you who actioned it
To make things a bit easier, in settings, you may extend the duration that the password manager's browser extension remains unlocked, before it automatically locks and requires you to log in again

D. Check out your Employee Vault and shared vaults

You have, as standard, an individual vault where your own credentials and notes are stored. This is not visible to anyone else
Depending on your role, you may have numerous shared vaults, which our admins will add you to over time. You should have at least one - likely for your Department
- Please assume, in line with the name of the shared vault, that it is shared with everyone in that team, Department, project, etc.
- If you aren't in a vault that you think you should be, or you notice that someone else is missing there, please let our People Team know

E. Store your passwords

You will be able to store passwords, payment information, and secure notes
You can use the standard info fields, like username, password, and URL, as well as add other ones through dropdown menus
If you want to, you can edit stored information at a later stage
Any changes to stored info may take a bit of time to update across all the platforms on which you use 1Pass, but this process should be fully automated
If you want to, you can also attach files to the passwords you house in your password manager, for additional secure storage. An example is downloadable backup codes some apps provide
When creating new logins, and reviewing your old ones, try to make passwords as strong as possible (within the allowances of each respective website). If you have existing, weak passwords, please update them
When saving new credentials for things that are OET-related, please always use your OET email address. If you have old, OET-related credentials that use other email addresses, please update them to use your OET email soonest

4. Password requirements

When creating passwords for OET-related accounts — whether stored in your password manager or entered directly — please ensure they meet all of the following requirements.

Minimum length

All passwords must be at least 12 characters long. The longer, the better — aim for 16 or more where a service allows it. Length is one of the single strongest factors in password security, so do not stop at the minimum if you can help it.

Character composition

Passwords must include a mix of all of the following character types:

Uppercase letters (A–Z)
Lowercase letters (a–z)
Numbers (0–9)
Special characters (e.g. !, @, #, $, %, ^, &, *)

Where a service does not support special characters, please compensate by using a longer password.

No personal information

Passwords must not be based on, or derived from, personal information. This includes:

Your name, or the names of family members, friends, or pets
Date of birth, anniversary, or other meaningful dates
Home address, phone number, or email address
OET-related details such as your employee ID, team name, or job title

Even partial inclusion of personal information (e.g. Sophie2023!) significantly weakens a password. Attackers routinely use personal details gathered from social media or public data breaches to make targeted guesses.

No common or predictable patterns

Avoid passwords that follow predictable patterns or are commonly used, such as:

Dictionary words or simple word combinations (e.g. password, letmein, sunshine)
Keyboard walks (e.g. qwerty123, asdfghjkl)
Repeated or sequential characters (e.g. aaaaaa, 123456, abcdef)

Uniqueness

Every OET-related account must have its own unique password. Reusing passwords across services means that a single breach can compromise multiple accounts. Your password manager makes this straightforward — use its built-in password generator to create a strong, unique password for every new login.

Passphrases as an alternative

A passphrase — a sequence of four or more unrelated words (e.g. coral-table-rocket-mango) — is an excellent alternative to a traditional password, provided it still meets the length and uniqueness requirements above. Passphrases are often easier to remember and can be just as strong, or stronger.

Never share passwords through chat messages, email, or any other general-purpose communication channel — even if you delete the message afterwards. Messages can be logged, cached, or intercepted, and deletion is not guaranteed. Always use one of the secure methods below, depending on your password manager

Only share a password when it is absolutely necessary. When in doubt, keep it in your personal vault and wait to be asked
If you are not sure whether a credential should be in your personal vault or a shared team vault, check with your Team Lead
Always use the shortest practical expiration when generating a sharing link
Once a shared credential is no longer needed by the recipient, update or rotate it
If it is no longer necessary for something to be shared in a vault, move it back to your personal vault
If you want to share a single credential directly from your Employee Vault, you can do so, and this may be easier and more secure than adding it to a shared vault

Troubleshooting

Browser extensions cannot communicate with the 1Password desktop app
- Make sure you have enabled the 1Password desktop app to communicate with the browser extension.
- For Linux OS: This can happen, if the browser you are using was installed using snap or flatpak. For security purposes, these installations are sandboxed, and cannot communicate with the desktop app. To solve this, you need to install your browser using the package manager of your OS. For example, on Ubuntu using apt.
- Special case Ubuntu: Since Ubuntu 21.04, Ubuntu automatically installs the snap package of firefox, even if you install it using apt from the Mozilla ppa. You need to follow this linked guide to disable this automatism, else your firefox installation will be overwritten with the next update with the snap version.

Questions

If you have questions about this policy, you can reach out to our platform admin - our Head of People, Quintin, preferably on Discord, or otherwise via email (quintin.coetzee@openenergytransition.org).

Thank you!

1. A note about password security​

2. About 1Password​

3. Setup & process for storing OET passwords​

4. Password requirements​

Minimum length​

Character composition​

No personal information​

No common or predictable patterns​

Uniqueness​

Passphrases as an alternative​

5. Process for sharing OET passwords​

Good password sharing practices​

Troubleshooting​

Questions​