How We Manage Passwords and Data Sharing at Codeship

Industry

Reading Time: 5 minutes

Sharing passwords and secret data with the people on your team securely is painful. You want to limit the passwords that a specific person has while being able to give them access to more at any point. All of the above should be shared in a completely secure manner that’s easy to use for tech and non-tech team members alike.

As we have grown our team at Codeship over the last few months and are using more and more services, we’ve started to struggle with this ourselves. There are many services that provide good user management (incidentally, we’ve just launched our organizations feature recently), but there are also many that don’t.

Sharing Strategy

Some of us were already using 1Password for our personal passwords, so we decided to use it company wide. It runs on Macs and mobile devices. Some of our developers are using Linux laptops, but as all the services we use in our engineering team have great user management, they can rely on Linux native secure key management.

We created an admin 1Password vault that is shared between Moritz (our CEO), Jim (our VPE), and me (CTO here at Codeship). This vault contains usernames and passwords to the admin accounts of various services and anything we need to onboard or offboard somebody from Codeship (those accounts are additionally secured with 2FA where we can). As this vault is shared between the three of us, somebody should always be available to manage any service.

Next, we created separate vaults for each department in the company. These are encrypted and synced via Dropbox. The main passwords for those vaults are stored in the admin vault I mentioned before. Thus Jim, Mo, and I have access to all company-wide admin accounts. Obviously, our machines and mobile devices are strictly locked down.

The department vaults can then be shared easily with anyone on those specific teams, so that they have easy access to everything they need. Additionally, we now have a secure way to transfer small pieces of data between people in one department; they can just add the data to their department vault, get it synced, and remove it after it was shared. This removes any need for sharing anything through unencrypted channels like Slack.

To have a really secure system, we need to make sure the main passwords that everyone uses are strong. This mostly comes down to proper education and following up with people regularly. In the next section, I’ll explain our strategy for creating good and secure passwords that people can remember easily. This is taken directly from our internal wiki, so you should be able to copy it verbatim and use it internally if you like.

Try Codeship – The simplest Continuous Delivery service out there.

Creating a Good Master Password

A good master password should be random while at the same time memorable. Passwords selected by humans are typically very easy to crack automatically; humans limit their selection of words and characters to make a password easier to remember.

And even adding a special character here or there doesn’t solve that necessarily. To counter this, randomly select words by throwing dice and then connect those words with special characters. You can this method to create a complex master password that you can then use in connection with 1Password.

1Password

1Password helps you manage your passwords so you only need to remember one strong master password. You can still have unique and very strong passwords for each service you use, of course. 1Password stores all of your passwords in encrypted vaults. You will have a main vault and create or import additional vaults (which you can use for storing team specific passwords).

Download 1Password from Agilebits download page and take a look at their Getting Started guide.

How to create a strong master password

Diceware is a great tool for creating strong, random master passwords. It’s a list of around 7,500 preselected words. Pick five of these words by rolling the dice multiple times. Let’s walk through how to set up a master password using Diceware.

Note: Don’t use fewer than five words. It makes brute forcing the password far too easy. More words are always better.

  • Get some dice or go to https://www.random.org/dice/?num=1
  • Look at the Diceware list: http://world.std.com/~reinhold/diceware.wordlist.asc
  • Roll the dice five times and write down the numbers (e.g., 61353).
  • Look through the list to find the word associated with that dice roll (e.g., if you rolled 61353, the word would be “today”).
  • Roll the dice 25 times to get five words. Don’t throw out any of the words that were selected by random. If you use some but not others, you’re again limiting the choice of words which makes the password much easier to crack.
  • Put the words together and have either whitespace or special characters in between each word.
  • If you feel you might forget the password, write the password on a piece of paper by hand (do not print from your laptop or store on any electronic device) and store it somewhere safe in your home where you can get to it. If you forget your password, you will not be able to log into your 1Password again. This strong password is to keep your digital data secure. The chance of somebody discovering/stealing your password paper and using it to break your accounts is very low if you keep it well stored at home.

EXAMPLE MASTER PASSWORD:

  • Dice rolls: 14364 23346 61556 34523 21322
  • Five words: blonde dove tram jl comet
  • Capitalization: Blonde Dove Tram Jl Comet
  • Special characters/numbers: Blonde@Dove2Tram*Jl%Comet

This method will give you a password where you should be able to remember the five main words easily, and the four special characters/numbers are then not a large hurdle. You don’t have to capitalize the first letter, or you can also capitalize the last one or capitalize every second letter, if you’d like other options.

Conclusions

As security is very important for us at Codeship, we need to make sure we keep access to internal services secure. At the same time, access and sharing need to be easy so as not to create incentives to circumvent the secure system in any way.

With our new 1Password-based system, we’ve got a great new strategy in place that will allow us to grow our respective teams while keeping our customers’ data secure.

I hope sharing this with you helps with some of the pain of managing your own passwords that every team, and especially every startup, deals with. If you have other strategies, please let us know in the comments.

Additional resources:

1Password Blog

Bruce Schneier on passwords

Diceware

StackExchange Discussion

Subscribe via Email

Over 60,000 people from companies like Netflix, Apple, Spotify and O'Reilly are reading our articles.
Subscribe to receive a weekly newsletter with articles around Continuous Integration, Docker, and software development best practices.



We promise that we won't spam you. You can unsubscribe any time.

Join the Discussion

Leave us some comments on what you think about this topic or if you like to add something.

  • Matt

    Great article, with some very useful advice. One question I had was what if someone leaves your company, wouldn’t they still have access to that shared vault that was on their computer?

    • All laptops are company owned, nobody is using their own machine so we simply take the laptop and disable access on Dropbox. If we feel like there is the risk of somebody harming a service we’ll change passwords on all services they had access to after removing them from dropbox so they can’t access anything any more.

      Since we don’t think this is going to be a regular problem we’re happy with a little more manual work in that case.

      • Matt

        That makes sense, thanks for the reply

  • Megan O’Brien

    Hi Florian,

    I’m Megan and I work for AgileBits, the makers of 1Password. I wanted to take a moment to thank you for writing such a great article about how your team manages passwords.

    It’s so great to hear that 1Password is helping you stay secure and giving your team the information they need to get their jobs done.

    If you ever have any questions about 1Password, feel free to reach out at support+social@agilebits.com.

    Have a great day!

    Megan O’Brien
    Level 60 Support Sorceress at AgileBits
    support.1password.com

  • while you probably still safe, have you considered that by publishing the patterns you use to create “secure password”, it’s a lot easier to crack it, as any potential offender can tweak their bruteforce strategies to match this specific pattern, making the XKCD comic relevant again? :)

    • I did consider that. Putting us in a position where attackers potentially know the strategy we use, even though as you say its still secure (http://world.std.com/~reinhold/dicewarefaq.html#howlong) forces us to not take any shortcuts. We have to use 5-6 words and additionally add special characters, … to be really safe.

      I strongly believe in setting the incentive to do the right thing. Publishing this forces us to do the right thing while it also helps other companies who might not have thought about this to have an easy way to get started.

      Thanks for your feedback though, really good question.

  • Pingback: How our team manages passwords with 1Password()