Skip to main content
Maintainers -ImageQuintin Coetzee, MBSc

Open energy transition password policy

1. A note about password security

Securely storing your OET-related passwords is essential to our maintaining organizational security. This policy serves not only as a Q&A about password management, but also to state the requirement to use one of our vetted password management platforms to store all OET-related passwords, whether or not you will be sharing them with teammates.

We understand that you may already have a personal password manager in place, but since not everyone has these, and we are not aware of the security behind each person's system, it makes more sense of OET to have a list of our own vetted password managers for all organizational-related credentials. We trust this makes sense to you from an administrative standpoint.

If you use one of our vetted platforms already, and you want two separate accounts, then you can create another just for OET credentials. If you want them all in one, and trust your master password is secure for your existing account, then you may continue using that account, and can ignore the rest of this guide. Yay!

Our trusted platforms

We have 3 vetted platforms you can use. These are:

  • 1Password (paid, and managed by OET)
  • BitWarden (free, and managed by you)
  • NordPass (free, and managed by you)

Which one should you use?

If you are using a different password manager to the ones above, or storing your passwords elsewhere, please move them over to one of our vetted platforms. Which one?

Well, if you have already been invited to 1Password (only for certain OETers, as per operational needs), then please use that. It is paid for, and administered by OET directly. The invite will come from Quintin, to your OET inbox, during your first few days with us.

If you don't get one, that means you need to use one of the other two (free) platforms, and create an account for yourself using the instructions below (you can skip to Section 3 for the links). Please create an account soonest.

While using Google Passwords may be convenient, it is not as secure as a separate password manager, and thus, we have this policy in place. Once you're hacked, there's not much you can do, and you can't reverse it. So, please use secure password practices from the start, as you will be protecting our intellectual property, which obviously benefits us all.

You should be able to easily import passwords in bulk into any of our 3 platforms, provided you've managed to export them suitably from your existing password manager. If you're signing up for an OET-related password manager from the get-go, this is not relevant to you.

If you have questions about the below, you can reach out to our platform admin - our Head of People, Quintin, preferably on Discord, or otherwise via email (quintin.coetzee@openenergytransition.org).

2. Password requirements

When creating passwords for OET-related accounts — whether stored in your password manager or entered directly — please ensure they meet all of the following requirements.

Minimum length

All passwords must be at least 12 characters long. The longer, the better — aim for 16 or more where a service allows it. Length is one of the single strongest factors in password security, so do not stop at the minimum if you can help it.

Character composition

Passwords must include a mix of all of the following character types:

  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Numbers (0–9)
  • Special characters (e.g. !, @, #, $, %, ^, &, *)

Where a service does not support special characters, please compensate by using a longer password.

No personal information

Passwords must not be based on, or derived from, personal information. This includes:

  • Your name, or the names of family members, friends, or pets
  • Date of birth, anniversary, or other meaningful dates
  • Home address, phone number, or email address
  • OET-related details such as your employee ID, team name, or job title

Even partial inclusion of personal information (e.g. Sophie2023!) significantly weakens a password. Attackers routinely use personal details gathered from social media or public data breaches to make targeted guesses.

No common or predictable patterns

Avoid passwords that follow predictable patterns or are commonly used, such as:

  • Dictionary words or simple word combinations (e.g. password, letmein, sunshine)
  • Keyboard walks (e.g. qwerty123, asdfghjkl)
  • Repeated or sequential characters (e.g. aaaaaa, 123456, abcdef)

Uniqueness

Every OET-related account must have its own unique password. Reusing passwords across services means that a single breach can compromise multiple accounts. Your password manager makes this straightforward — use its built-in password generator to create a strong, unique password for every new login.

Passphrases as an alternative

A passphrase — a sequence of four or more unrelated words (e.g. coral-table-rocket-mango) — is an excellent alternative to a traditional password, provided it still meets the length and uniqueness requirements above. Passphrases are often easier to remember and can be just as strong, or stronger.

3. 1Password info

For certain users, as per operational requirements, OET uses a major, global, trusted password platform (1Password) to manage all its organizational passwords, and their sharing across teams in various vaults.

1Password is trusted by major organizations including GitLab, IBM, Slack, salesforce, and Canva. The company has over 150,000 clients, and is the most-used enterprise password manager.

The platform integrates an admin dashboard, through which OET can manage secure password sharing vaults, for specific teams. It also integrates many modern security standards, including FIDO2 and SSO. Finally, 1Password vaults use end-to-end 256-bit encryption.

For more information, you can visit their website here: https://1password.com.

And for info about password sharing in 1Password, you can go here: https://1password.com/features/secure-password-sharing.

4. BitWarden and NordPass info

BitWarden

Developed in the United States, BitWarden is another renowned password management platform. It is open-source, compliant with many global security standards, and uses AES-256 bit encryption, salted hashing, and a PBKDF2 SHA-256 authentication process.

You can create a free account here: https://bitwarden.com/go/start-free.

NordPass

Developed in the Netherlands by the creators the NordVPN service, NordPass is a trusted password management platform, with similar functionality to 1Password, and the company undergoes routine security audits. It is compatible with many different OSes and browsers, and uses end-to-end encryption and the XChaCha20 algorithm.

You can create a free account here: https://nordpass.com/plans.

5. Process for storing OET passwords

A. Activate your account

  • For 1Password, Quintin will send you an invitation email (please click it within 2 days, before it expires). For BitWarden and NordPass, please go ahead and create a free account using the links above
  • Choose a secure Master Password that you can remember
  • Store your account backup information securely (definitely not inside your password manager, and ideally not on a device on which you use the platform)

B. Set up 2FA

  • 2FA is mandatory, and you will be able to enable it in the settings of your password manager
  • Please select a secure, trusted 2FA app, and follow the setup steps to enable it (recommendations are Google Authenticator and Microsoft Authenticator)
  • You may be asked during future logins for your 2FA code, so that the app can verify it is you who is logging in
  • Any any time, you can easily switch to a different 2FA app. Just remember to activate the new one before removing your password manager from the old one
  • If you wish, you may save a device as trusted in your password manager

C. Install the apps

  • You can install any apps for 1Password that you like, depending on your browser/s and OS/es from here
  • You will need to use your full account details to log in for each new device you use. Please keep track of which devices you're logged in on
  • If there is a login from a brand new device, you will likely be emailed, after which you can make sure it was indeed you who actioned it
  • To make things a bit easier, in settings, you may extend the duration that the password manager's browser extension remains unlocked, before it automatically locks and requires you to log in again
  • Also, to make things easier, you can (at least in some browsers, like Chrome) create an entirely separate browser profile, specifically for OET. This way, you can have your own personal password manager in your personal browser profile, and simultaneously log into the OET browser profile and use the password manager extension in there
  • Some password managers have a desktop app, which allows you to conveniently access your credentials without internet access (offline mode). Feel free to use this if it's available

D. Store your passwords

  • You will be able to store passwords and payment information
  • You can use the standard info fields, like username, password, and URL, as well as, if applicable and possible in your password manager, add other ones through dropdown menus
  • Your app will likely offer a built-in strong password generator tool for you to easily, automatically generate really good passwords, and put them right in the app
  • If you want to, you can edit stored information at a later stage
  • Any changes to stored info may take a bit of time to update across all the platforms on which you use the password manager, but this process should be fully automated
  • If you want to and the feature is available, you can also attach files to the passwords you house in your password manager, for additional secure storage
  • When creating new logins, and reviewing your old ones, try to make passwords as strong as possible (within the allowances of each respective website). If you have existing, weak passwords, please update them
  • When saving new credentials for things that are OET-related, please always use your OET email address. If you have old, OET-related credentials that use other email addresses, please update them to use your OET email soonest

6. Process for sharing OET passwords

Never share passwords through chat messages, email, or any other general-purpose communication channel — even if you delete the message afterwards. Messages can be logged, cached, or intercepted, and deletion is not guaranteed. Always use one of the secure methods below, depending on your password manager.

1Password (preferred)

1Password is OET's preferred platform for anyone who regularly needs to share credentials with teammates, as it provides the most complete and secure sharing experience. The process is as follows:

A. Join your team vaults

  • If you have received invitations to any Team Vaults, please accept them.
  • Once done, you can add logins, files, or other info into the Team Vault.
  • Anyone in that Team Vault will be able to view and edit what you add. This makes it easy to share platform logins for things you all use.

BitWarden

BitWarden includes a built-in feature called Send that lets you share sensitive text via a secure, encrypted, self-destructing link — no shared vault required. To use it:

  • Open BitWarden and navigate to the Send tab
  • Create a new Text Send with the password as the content
  • Set a short expiration (e.g. 1 hour or 1 day) and a maximum view count of 1
  • Optionally add a passphrase for an extra layer of protection
  • Send the generated link to the recipient via any channel — the secret itself is encrypted and will be permanently deleted after it is viewed or expires

NordPass

NordPass does not currently offer a built-in feature for sharing credentials with someone outside of NordPass. As a temporary measure, until OET moves all team members to 1Password, NordPass users should use Password Pusher to share credentials:

  • Go to pwpush.com (or the EU instance at eu.pwpush.com for GDPR compliance)
  • Paste the password, set a short expiration and a view limit of 1
  • Send the generated link to the recipient

Password Pusher is an established, open-source tool (active since 2011) that encrypts secrets at rest using AES-256-GCM and permanently deletes them after expiry. Note that it is not zero-knowledge — the service holds the encryption key — which is why it is a temporary fallback rather than a long-term solution. If you regularly need to share passwords with teammates, please speak to your Team Lead about moving to 1Password.

Good password sharing practices (all platforms)

  • Only share a password when it is absolutely necessary. When in doubt, keep it in your personal vault and wait to be asked.
  • If you are not sure whether a credential should be in your personal vault or a shared team vault, check with your Team Lead.
  • Always use the shortest practical expiration when generating a sharing link.
  • Once a shared credential is no longer needed by the recipient, update or rotate it.
  • If it is no longer necessary for something to be shared in a vault, move it back to your personal vault.

Thank you!

Troubleshooting

  • Browser extensions cannot communicate with the 1Password desktop app
    • Make sure you have enabled the 1Password desktop app to communicate with the browser extension.
    • For Linux OS: This can happen, if the browser you are using was installed using snap or flatpak. For security purposes, these installations are sandboxed, and cannot communicate with the desktop app. To solve this, you need to install your browser using the package manager of your OS. For example, on Ubuntu using apt.
    • Special case Ubuntu: Since Ubuntu 21.04, Ubuntu automatically installs the snap package of firefox, even if you install it using apt from the Mozilla ppa. You need to follow this linked guide to disable this automatism, else your firefox installation will be overwritten with the next update with the snap version.