1Password

Purpose
Keeping all of our credentials and secrets organized, safe, and easy to access for the right people
Type
Core
Owner
Ty Fujimura
Status

Overview

1password is how we store and share credentials and other sensitive information.

Use For...

✅ Storing login information for services

✅ Storing financial information (yours or the company‘s)

✅ Storing secrets like API keys

Don’t Use For...

⛔️ Long documents

⛔️ Anything that is not secret

Why we use it

1password is the industry leader in password storage. They have a great suite of apps and browser plugins that make it easy to generate and use totally secure credentials.

1password is super helpful for storing sensitive development information like server access and API keys, and business information like financial documentation.

How we use it

All team members should have 1password installed on their computer and have the browser extension installed in their browser of choice. Team members will be invited to the particular client vaults they should have access to. They can access and augment credentials from here.

Golden Rules

  • Do not share sensitive information outside of 1password.
  • Follow the 1password directions during setup so that you have am Emergency Kit and two-factor authentication set up.
  • Whenever possible, use 1password to set up 2fa for services (see below)
  • Follow the naming conventions for any new credentials you make (see below)

Guidelines

Setup

When you join Cantilever, People Ops will send you an invite to our 1password account. Your manager will send access to any relevant vaults you need for your projects. If you have not been oriented and set up by the time you’re reading this, contact HR.

Your 1Password master password must be very, very strong. Keep in mind that clients entrust us with crucial business information, and we should take that very seriously.

As a part of your orientation, you should have downloaded/printed a 1Password "emergency kit" which contains secret keys you can use to recover your data in case you forget your password. The vault can be located at: cantilever.1password.com

More likely, you will want to use the 1Password app on your computer and phone. You can log in there with the same credentials you use online.

Organization

Any credentials associated with a single client should go in the client’s vault. If you are working with a client which does not yet have a vault, please ask Legal to make one.

Any credentials you need for work, but should NOT be shared with the full team (such as your Cantilever email credentials) should go in your personal 1Password vault in the Cantilever account. Any credentials you need in general which are not private and could benefit the full team should go in the Cantilever "Shared" vault.

Do not store any Cantilever data outside of the Cantilever vault. This is important for legal reasons, but also for safety. If your computer burns to a crisp, we need to know our data is still available to anyone in the company who needs it.

Naming Conventions

Vaults

All vaults should be named by client, not project.

image

Names should be capitalized except in special cases like "eBeam". Slashes should be used without any spaces between them.

Account Credentials

Credentials appear in list format in the 1Password app, website, and quick access Chrome extension. So they must be named in a way that makes sense for each of those venues. Some sites may have multiple credentials assigned to them. So, it is important to list the client name in the credential name. Additionally, some clients have multiple projects, so we may need to redundantly identify logins associated with their main projects.

The general format is:

[Account Owner] Account Description

In other words:"[Who] What"

Or... "[Owner] Thing"

Or... "[Person or Company logging in] Thing they are logging in to"

So, if Cantilever is the 'account owner' of a password for a particular client, the naming might go as follows:

[Cantilever] eBeam Imgix

The specific person is not important unless there are multiple accounts associated with a given service, in which case it would be:

[Andrew] eBeam Imgix

or

[Sherbert] eBeam Imgix

For any given password, the default owners are generally Cantilever or the client. Using eBeam as an example, other naming conventions might look like:

[eBeam] Wordfence

This is an account and service that the client uses, but we have access to.

‼️
There is no need for the bracket notation for anything other than logins. Anything that is NOT a login (like a PDF, credit card, or note) should not use the login syntax ("[Owner] Thing").

Notes & Docs

Notes are only visible in the 1pass app or web interface, not the widget, so we can be more relaxed about their naming conventions.

🚫 Anti-patterns:

From the Esquire vault:

image

What account is this? If you’re using the chrome extension, or don’t know the mailchimp monkey, you couldn’t tell in advance. This should be [Esquire] Mailchimp.

From the Kode with Klossy vault:

image

This should be [KWK Blog] Cantilever WP(from the TWC Vault)

From the TWC vault:

image

This should be [Watson Advertising] WP Admin.

Two-factor authentication

Two-factor auth should be on for any service that we use that supports it. 1password can work as a one-time-password generator like Google Authenticate. We use this instead of Google Authenticate. Docs here: