Overview
1password is how we store and share credentials and other sensitive information.
Use For...
✅ Storing login information for services
✅ Storing financial information (yours or the company‘s)
✅ Storing secrets like API keys
Don’t Use For...
⛔️ Long documents
⛔️ Anything that is not secret
Why we use it
1password is the industry leader in password storage. They have a great suite of apps and browser plugins that make it easy to generate and use totally secure credentials.
1password is super helpful for storing sensitive development information like server access and API keys, and business information like financial documentation.
How we use it
All team members should have 1password installed on their computer and have the browser extension installed in their browser of choice. Team members will be invited to the particular client vaults they should have access to. They can access and augment credentials from here.
Golden Rules
- Do not share sensitive information outside of 1password.
- Follow the 1password directions during setup so that you have am Emergency Kit and two-factor authentication set up.
- Whenever possible, use 1password to set up 2fa for services (see below)
- Follow the naming conventions for any new credentials you make (see below)
Guidelines
Setup
When you join Cantilever, People Ops will send you an invite to our 1password account. Your manager will send access to any relevant vaults you need for your projects. If you have not been oriented and set up by the time you’re reading this, contact HR.
Your 1Password master password must be very, very strong. Keep in mind that clients entrust us with crucial business information, and we should take that very seriously.
As a part of your orientation, you should have downloaded/printed a 1Password "emergency kit" which contains secret keys you can use to recover your data in case you forget your password. The vault can be located at: cantilever.1password.com
More likely, you will want to use the 1Password app on your computer and phone. You can log in there with the same credentials you use online.
Organization
Any credentials associated with a single client should go in the client’s vault. If you are working with a client which does not yet have a vault, please ask Legal to make one.
Any credentials you need for work, but should NOT be shared with the full team (such as your Cantilever email credentials) should go in your personal 1Password vault in the Cantilever account. Any credentials you need in general which are not private and could benefit the full team should go in the Cantilever "Shared" vault.
Do not store any Cantilever data outside of the Cantilever vault. This is important for legal reasons, but also for safety. If your computer burns to a crisp, we need to know our data is still available to anyone in the company who needs it.
Naming Conventions
Vaults
All vaults should be named by client, not project.
Names should be capitalized except in special cases like "eBeam". Slashes should be used without any spaces between them.
Account Credentials
Credentials appear in list format in the 1Password app, website, and quick access Chrome extension. So they must be named in a way that makes sense for each of those venues. Some sites may have multiple credentials assigned to them. So, it is important to list the client name in the credential name. Additionally, some clients have multiple projects, so we may need to redundantly identify logins associated with their main projects.
The general format is:
[Account Owner] Account Description
In other words:"[Who] What"
Or... "[Owner] Thing"
Or... "[Person or Company logging in] Thing they are logging in to"
So, if Cantilever is the 'account owner' of a password for a particular client, the naming might go as follows:
[Cantilever] eBeam Imgix
The specific person is not important unless there are multiple accounts associated with a given service, in which case it would be:
[Andrew] eBeam Imgix
or
[Sherbert] eBeam Imgix
For any given password, the default owners are generally Cantilever or the client. Using eBeam as an example, other naming conventions might look like:
[eBeam] Wordfence
This is an account and service that the client uses, but we have access to.
Notes & Docs
Notes are only visible in the 1pass app or web interface, not the widget, so we can be more relaxed about their naming conventions.
🚫 Anti-patterns:
From the Esquire vault:
What account is this? If you’re using the chrome extension, or don’t know the mailchimp monkey, you couldn’t tell in advance. This should be [Esquire] Mailchimp.
From the Kode with Klossy vault:
This should be [KWK Blog] Cantilever WP(from the TWC Vault)
From the TWC vault:
This should be [Watson Advertising] WP Admin.
Two-factor authentication
Two-factor auth should be on for any service that we use that supports it. 1password can work as a one-time-password generator like Google Authenticate. We use this instead of Google Authenticate. Docs here: