Open energy transition password policy
1. A note about password security
Securely storing your OET-related passwords is essential to our maintaining organizational security. This policy serves not only as a Q&A about password management, but also to state the requirement to use one of our vetted password management platforms to store all OET-related passwords, whether or not you will be sharing them with teammates.
We understand that you may already have a personal password manager in place, but since not eveyone has these, and we are not aware of the security behind each person's system, it makes more sense of OET to have a list of our own vetted password managers for all organizational-related credentials. We trust this makes sense to you from an administrative standpoint.
If you use one of our vetted platforms already, and you want two separate accounts, then you can create another just for OET credentials. If you want them all in one, and trust your master password is secure for your existing account, then you may continue using that account, and can ignore the rest of this guide. Yay!
Our trusted platforms
We have 3 vetted platforms you can use. These are:
- 1Password (paid, and managed by OET)
- BitWarden (free, and managed by you)
- NordPass (free, and managed by you)
Which one should you use?
If you are using a different password manager to the ones above, or storing your passwords elsewhere, please move them over to one of our vetted platforms. Which one?
Well, if you have already been invited to 1Password (only for certain OETers, as per operational needs), then please use that. It is paid for, and administered by OET directly. The invite will come from Quintin, to your OET inbox, during your first few days with us.
If you don't get one, that means you need to use one of the other two (free) platforms, and create an account for yourself using the instructions below (you can skip to Section 3 for the links). Please create an account soonest.
While using Google Passwords may be convenient, it is not as secure as a separate password manager, and thus, we have this policy in place. Once you're hacked, there's not much you can do, and you can't reverse it. So, please use secure password practices from the start, as you will be protecting our intellectual property, which obviously benefits us all.
You should be able to easily import passwords in bulk into any of our 3 platforms, provided you've managed to export them suitably from your existing password manager. If you're signing up for an OET-related password manager from the get-go, this is not relevant to you.
If you have questions about the below, you can reach out to our platform admin - our Head of People, Quintin, preferably on Discord, or otherwise via email (quintin.coetzee@openenergytransition.org).
2. 1Password info
For certain users, as per operational requiremenets, OET uses a major, global, trusted password platform (1Password) to manage all its organizational passwords, and their sharing across teams in various vaults.
1Password is trusted by major organizations including GitLab, IBM, Slack, salesforce, and Canva. The company has over 150,000 clients, and is the most-used enterprise password manager.
The platform integrates an admin dashboard, through which OET can manage secure password sharing vaults, for specific teams. It also integrates many modern security standards, including FIDO2 and SSO. Finally, 1Password vaults use end-to-end 256-bit encryption.
For more information, you can visit their website here: https://1password.com.
And for info about password sharing in 1Password, you can go here: https://1password.com/features/secure-password-sharing.
3. BitWarden and NordPass info
BitWarden
Developed in the United States, BitWarden is another renowned password management platform. It is open-source, compliant with many global security standards, and uses AES-256 bit encryption, salted hashing, and a PBKDF2 SHA-256 authentication process.
You can create a free account here: https://bitwarden.com/go/start-free.
NordPass
Developed in the Netherlands by the creators the NordVPN service, NordPass is a trusted password management platform, with similar functionality to 1Password, and the company undergoes routine security audits. It is compatible with many different OSes and browsers, and uses end-to-end encryption and the XChaCha20 algorithm.
You can create a free account here: https://nordpass.com/plans.
4. Process for storing OET passwords
A. Activate your account
- For 1Password, Quintin will send you an invitation email (please click it within 2 days, before it expires). For BitWarden and NordPass, please go ahead and create a free account using the links above
- Choose a secure Master Password that you can remember
- Store your account backup information securely (definitely not inside your password manager, and ideally not on a device on which you use the platform)
B. Set up 2FA
- 2FA is mandatory, and you will be able to enable it in the settings of your password manager
- Please select a secure, trusted 2FA app, and follow the setup steps to enable it (recommendations are Google Authenticator and Microsoft Authenticator)
- You may be asked during future logins for your 2FA code, so that the app can verify it is you who is logging in
- Any any time, you can easily switch to a different 2FA app. Just remember to activate the new one before removing your password manager from the old one
- If you wish, you may save a device as trusted in your password manager
C. Install the apps
- You can install any apps for 1Password that you like, depending on your browser/s and OS/es from here
- You will need to use your full account details to log in for each new device you use. Please keep track of which devices you're logged in on
- If there is a login from a brand new device, you will likely be emailed, after which you can make sure it was indeed you who actioned it
- To make things a bit easier, in settings, you may extend the duration that the password manager's browser extension remains unlocked, before it automatically locks and requires you to log in again
- Also, to make things easier, you can (at least in some browsers, like Chrome) create an entirely separate browser profile, specifically for OET. This way, you can have your own personal password manager in your personal browser profile, and simultaneously log into the OET browser profile and use the password manager extension in there
- Some password managers have a desktop app, which allows you to conveniently access your credentials without internet access (offline mode). Feel free to use this if it's available
D. Store your passwords
- You will be able to store passwords and payment information
- You can use the standard info fields, like username, password, and URL, as well as, if applicable and possible in your password manager, add other ones through dropdown menus
- Your app will likely offer a built-in strong password generator tool for you to easily, automatically generate really good passwords, and put them right in the app
- If you want to, you can edit stored information at a later stage
- Any changes to stored info may take a bit of time to update across all the platforms on which you use the password manager, but this process should be fully automated
- If you want to and the feature is available, you can also attach files to the passwords you house in your password manager, for additional secure storage
- When creating new logins, and reviewing your old ones, try to make passwords as strong as possible (within the allowances of each respective website). If you have existing, weak passwords, please update them
- When saving new credentials for things that are OET-related, please always use your OET email address. If you have old, OET-related credentials that use other email addresses, please update them to use your OET email soonest
4. Process for sharing OET passwords (1Password only)
As sharing via vaults is available only in 1Password, if you want to share a password while using BitWarden or NordPass, please find a secure way of doing so, like sending it via a Discord DM, and then deleting the message once the recipient has copied it into their password manager. For 1Password, the process is as follows:
A. Join your team vaults
- If you have received invitations to any Team Vaults, please accept them.
- Once done, you can add logins, files, or other info into the Team Vault.
- Anyone in that Team Vault will be able to view and edit what you add. This makes it easy to share platform logins for things you all use.
B. Good password sharing practices
- Please ensure that it is absolutely necessary to share something outside your own vault before doing so. Your personal vault is accessible only by you.
- If you are not sure whether a password should be stored in your personal vault or in a shared team vault, please check with your Team Lead. When in doubt, store something in your personal vault, and wait for someone to ask for it to be shared, if and when that may occur
- If it is no longer necessary for something to be shared, change it so that it's only in your personal vault.
Thank you!
Troubleshooting
- Browser extensions cannot communicate with the 1Password desktop app
- Make sure you have enabled the 1Password desktop app to communicate with the browser extension.
- For Linux OS: This can happen, if the browser you are using was installed using
snaporflatpak. For security purposes, these installations are sandboxed, and cannot communicate with the desktop app. To solve this, you need to install your browser using the package manager of your OS. For example, on Ubuntu usingapt. - Special case Ubuntu: Since Ubuntu 21.04, Ubuntu automatically installs the
snappackage offirefox, even if you install it usingaptfrom the Mozilla ppa. You need to follow this linked guide to disable this automatism, else yourfirefoxinstallation will be overwritten with the next update with thesnapversion.