1Password

Hero image for 1Password
  • Speaking of secrets management, Vault by Hashicorp has always been the go-to place for all Nimble team members for a while.
  • Using Vault wasn’t too hard but managing it costs a decent amount of effort: from hosting to security, upgrading and managing SSL certificates for the team usages.
  • It has been utilized well without any major incident, but due to the lack of tools provided to integrate with other platforms that most of teammates use daily (Android or iOS phones, browsers, etc.), it’s time to move to a better place that saves a bit of effort every day and which has, at the same time, a much nicer user experience.
  • The team shut down the vault.nimblehq.co as the Password Manager and replaced it with a better tool, while still using the same address.

Meet 1Password

  • 1Password is a Password Manager that provides space for keeping the team’s secrets and sharing them among teammates with a fine-grained level of permissions.
  • It provides more tooling integrations that help to save time from memorizing the passwords, secret files or switching over to the vault to lookup and then perform a copy/paste action.
  • It also provides the Watchtower feature that notifies the team when it finds weaknesses from their passwords. The reasons could be:
    • Reusing the same passwords in multiple places.
    • Passwords are not complex enough.
    • Passwords have been compromised somewhere else.

For a complete introduction of 1Password head 👉 HERE.

The 1Password workspace

  • Everyone at Nimble gets an invitation to join the workspace on the first day or they can request to join the 1Password team here https://nimble.link/security/. Only @nimblehq.co emails will be able to join.
  • For 3rd parties that need access to the vaults, there are up to 5 guests. Guest access is restricted to a single vault.
  • Sign in after joining here https://nimble.1password.com.
  • After joining the Nimble workspace, all members can access the General vault, which is called ‘Nimble - General’.
  • A Private vault will be created for teammates personal use as well. It means nobody can have access to it besides themself (not even administrators or owners).

    Your Private vault

Install 1Password

  • In addition to accessing directly from the website, 1Password also provides helpful apps for the needs:
    1. 1Password Chrome Extension, Firefox Add-ons, Safari
    2. 1Password for Android
    3. 1Password for iOS
    4. 1Password for Desktop
    5. and more. Check out 👉 HERE
  • A suggestion is to have at least the browser extension from section #1 depending on the default/preferred browser of choice.

  • Read a secret pair of username and password is very straightforward with the simple GUI provided: either from the website or any other apps: navigate to a specific vault that has access to view, retrieve the specific key for the inquiry purpose.
  • Write a secret item is also simple:
    • Pick the vault.
    • Choose the appropriate Template (For now, the Login Template is the most commonly used and available option. More templates will be mentioned later).
    • Enter the username/password, and the website the secret should be applied to for the auto-filling helper to work.
  • Delete action is limited to only the vault’s group of administrators. Only the members with admin role can:
    • Move an Item to Trash (remove items temporarily; it can still be recovered).
    • Empty the Trash (remove items permanently), or
    • Delete a vault - this action requires a higher permission.

Using 1Password

Skip this if you are already familiar with the Password manager tools. If this is the first time you heard about it, please keep reading.

The basic usage:

  • In the web browser, after installing the Extension, users will be redirected to a Sign-in screen

    1Password welcome

  • Click Sign In and pick the Nimble workspace. Enter the Master Password

    1Password Signin

  • There is an icon like this on the toolbar (without the lock 🔒 after signing in)

    1Password Toolbar

  • Now, when navigating to a website that requires a Login, say for example: https://teamtreehouse.com/signin - a pop-up will show up to suggest a matching login credential stored in one of the vaults that has access to.

    1Password Treehouse Example

  • If it doesn’t appear, try to search from the option on the toolbar

    1Password Treehouse Toolbar

  • On mobile, users can also receive the same support after installing the 1Password app. When needing to enter credentials, 1Password will suggest to fill-in the fields

    1Password Mobile

Credit Cards:

The Operations Teams will have the company credit cards in their vault assigned to make it easier while making online payments. Make sure to select the right card. Most of the websites are supported, as shown below: 1Password Credit Card Example

Sharing Secrets

Whenever someone on the team needs to share secrets with another person, it must be done using 1Password.

Internally, it should be done by pointing a colleague to the proper vault (with the right access).

Externally, sharing credentials or sensitive secrets must be done by using 1Password’s built-in sharing feature.

1Password Sharing

There are a couple of guidelines to follow when sharing a secret externally:

  1. Always share with specific people.
    Do not use the “Anyone with the link” option because it shares the secret with absolutely anyone with the link, whether they were the intended receipient or not.
  2. Set an expiration time for the share. Do not share a never-expiring secret.

1Password Sharing

Learn more about 1Password’s item sharing here.

Managing 1Password

This section guides how to add an Item to a vault.

Managing Credentials

  • To add an Item:
    • Pick a vault that has access to create an item.
    • Click the Add button and choose the type of item.

      1Password Add Item

    • Depending on what kind of data, choose the item type accordingly:
      • The basic type is Login.
      • For Documentation or SSH Keys, choose Document.
      • For API Secret ID and Secret Password, choose an API Secret.
    • To add a basic username/password pair, choose Login. Then fill in the 4 most important fields:
      • Title.
      • username.
      • password.
      • website.

      1Password Add Login

    • To add an SSH Key, keep them as a Document to ensure the integrity. Simply choose Document type, give it a name and drag the key to upload.

      1Password Add Document

    • For an API Secret to a platform, choose API Secret and fill in:
      • title
      • client_id
      • client_secret
      • url

      1Password Add API Secret

    • For AWS service particularly, choose the AWS Key item and fill in:
      • access_key
      • access_secret
      • service

      1Password Add AWS Secret

Admin Management

This section guides how to manage content on 1Password as an administrator.

Vault

  • The naming convention must follow the pattern {Organization} - {Location?} - {Domain}. For example:
    • Nimble - General
    • Nimble - People Operations
    • Nimble - Thailand - Office Operations
    • Nimble - Vietnam - Office Operations
    • {ClientName} - General
    • {ClientName} - Admin
  • Always attach the logo for easier accessibility.
  • Apply Access Permission by Group.
  • Permissions:
    • Admin permissions: full read/write/delete content, but do not allow to manage the vault.

    1Password Admin Permission

    • General permissions: read/write with some limits like no deletion is allowed.

    1Password General Permission

Group

  • A Group is used for grouping members and assigning specific permissions all at once.
  • Naming should follow the 1Password vault’s naming convention. Make it easy to assign people and restrict the permissions accordingly.

    E.g., With a vault named Nimble - General then there must be a group named Nimble - General

  • Always attach the logo for easier accessibility.

Audit

  • The project admin should check the usage report regularly. This is provided on each vault dashboard via the link Create Usage Report

    1Password Usage Report

  • Admin should recheck if there is any unwanted access to any vault/content.

    In case of identifying any suspicious activity, report immediately to the administrator in order to take action.