Nr/how to manage password #66
Conversation
onboarding/password-management.md
Outdated
| - Share password on Slack. | ||
| - Share password by email. | ||
| - Share password on papers. | ||
| - Share password on Github. |
There was a problem hiding this comment.
It might be worthwhile to emphasize that tokens -- like Slack tokens for bots -- are also passwords. Several repos in the past have had credentials uploaded directly to them; https://github.com/neuropoly/meeting_reminder_bot/ doesn't, but it expects you to fill in credentials in its source code, so that should tell you where our thinking as a lab has been at. This is a common mistake organizations make when trying to automate their workflows.
| - Manual encryption (ex: private/public key). | ||
| - End-to-end encryption method like `signal` application. |
There was a problem hiding this comment.
These are good, but maybe too difficult for some people. In a pinch I usually reach for https://privnote.com -- it encrypts and forgets -- or https://dpaste.org/ with the expiry set to one-time. These sites are obviously a risk if their owners decided to exploit us, but they would have to take an interest in us first.
There was a problem hiding this comment.
There's also meeting up in person! That's probably better than anything digital!
There was a problem hiding this comment.
And in many cases we can use ACLs instead of sharing passwords. We should really really emphasize that: you don't need to share a password if you can have your account added to a team like we do with DigitalOcean, GitHub, Google Groups, the Youtube Brand accounts, the shared smb://duke drive that people access using their (individual) GRAMES accounts., etc.
There was a problem hiding this comment.
I'm OK with the third party tool even if it's important to emphasize that they are potential threat, so people know it's the easy but not totally secure way.
ACL is clearly the top-one solution, I will add it.
For meeting in person IDK if we should add it because it open a large number of case:
- If the password is easy it's ok, but it will become hard to sync if it change and the problem repeat itself
- If the password is hard, they will need to copy/paste it and it open all the physical security area that I think we prefer to avoid inside the lab (USB key, drive, network communication is clearly complex to explain to normal users)
onboarding/password-management.md
Outdated
|
|
||
| **You should:** | ||
|
|
||
| - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. |
There was a problem hiding this comment.
Also: 1password, Bitwarden. What are the other popular ones?
I know at least a couple of the linux people use KeyPassXC over KeyPass. It's solid, though it doesn't sync nicely.
There was a problem hiding this comment.
Do we really want to put a FULL list of options ? I think people should be able to do research or open discussion with IT guys that know the area. I don't think adding more and more item in the list will make it more clear for newcomers, however we could select the best 3-4 we really would like to push in intern in place of my actual random list.
onboarding/password-management.md
Outdated
|
|
||
| **You should:** | ||
|
|
||
| - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. |
There was a problem hiding this comment.
These should have links to their websites, so people can choose a product if they aren't already using one.
onboarding/password-management.md
Outdated
|
|
||
| ## Storage of the sensitive information | ||
|
|
||
| Polytechnique Montreal does not provide a secure password system within the university, this responsibility is therefore distributed to each member of the laboratory. |
There was a problem hiding this comment.
This can be made more persausive
| Polytechnique Montreal does not provide a secure password system within the university, this responsibility is therefore distributed to each member of the laboratory. | |
| Polytechnique Montreal does not provide a secure password system within the university, but NeuroPoly expects members of the laboratory will use password managers for all accounts granted as part their work with us. |
onboarding/password-management.md
Outdated
|
|
||
| **You should:** | ||
|
|
||
| - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. |
There was a problem hiding this comment.
| - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. | |
| - Use an encrypted password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. |
onboarding/password-management.md
Outdated
|
|
||
| **You should not:** | ||
|
|
||
| - Keep sensitive information on physical paper (post-it, printed paper) |
There was a problem hiding this comment.
I think it would be good to distinguish "sensitive information" and "passwords".
There's a plan to make everyone sign an NDA to cover the non-open medical data. Also school policy already says in several places that data should not be disclosed unless authorized, not that we currently make people read those policies during onboarding. That is "sensitive information", but trying to cover all that on this page is going to be too much.
Maybe in the future we will have a page for data protection guidelines (including the NDA?), and we can preface this page with "Everyone is responsible for link-to-data-protection-page. Part of that protection is protecting your accounts and their passwords, to prevent their theft or misuse."
There was a problem hiding this comment.
For now, this line should just simply read
| - Keep sensitive information on physical paper (post-it, printed paper) | |
| - Keep passwords on physical paper (post-it, printed paper) |
There was a problem hiding this comment.
Good points, I wanted to use a more generic terms to avoid keeping away secret keys or things like that since some people don't see them as password when they read the terms.
I will try to define the terms password at the top in the introduction and review the full page after that to match it.
| **You should:** | ||
|
|
||
| - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. | ||
|
|
There was a problem hiding this comment.
Somewhere in here we should add
| **You should**: | |
| - Use a unique password for each account. A good password manager will help you do this, and you shouldn't even have to memorize each password. |
because one of the most common ways data breaches happen is via password reuse. And I know multiple people in the lab reuse their passwords.
onboarding/password-management.md
Outdated
|
|
||
| **You should:** | ||
|
|
||
| - Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity). |
There was a problem hiding this comment.
Sensible means more like logique
| - Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity). | |
| - Destroy paper containing sensitive information (crusher or fire depending on the level of sensitivity). |
There was a problem hiding this comment.
Oh but also it would be good to keep this page hyperfocused on passwords, so:
| - Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity). | |
| - Destroy papers containing passwords (crusher or fire depending on the level of sensitivity). |
onboarding/password-management.md
Outdated
|
|
||
| **You should not:** | ||
|
|
||
| - Put paper containing sensitive information in the trash without making it unreadable beforehand. |
There was a problem hiding this comment.
| - Put paper containing sensitive information in the trash without making it unreadable beforehand. | |
| - Put paper containing passwords in the trash without making it unreadable beforehand. |
onboarding/password-management.md
Outdated
| ## Deletion of the sensitive information | ||
|
|
||
| Deleting sensitive information is most of the time the forgotten step in the information lifecycle. It is however a crucial step since it is what allows us to ensure that the information will never be more accessible and that we can no longer worry about it. |
There was a problem hiding this comment.
Maybe this section should be deleted, in order to keep this page focused on passwords. This is an important observation, but would fit better in a general data-protection.md page.
I worry it's risky to mention deletion here, because some data we absolutely want to archive, especially data that was used for training ML models, and some data we want to archive but only until our ethics agreements for them expire. The choices about what and when to delete data are something I would leave up to the responsables.
Really, all you're saying here is "if someone gives you a password on paper, burn it once you've used it"?
There was a problem hiding this comment.
This is a really good first draft! Thanks for putting it out there.
Doing good technical writing is really hard. It needs to be articulate, accurate, and yet extremely concise. I think this is like 75% of the way there.
Hopefully we can get some feedback from at least a couple other people too.
|
@kousu I integrated your feedback and updated the screenshot on the PR description to make it easy to review. Little question: is it possible in the actual documentation config to make the link opening in a new tab (ie: target=_blank) ? I would like to put this option on the password manager link (passbolt, keypass, etc..) to avoid that user quit the onboarding when clicking on it. |
Awesome, thanks for thinking of the little things.
You can if you switch to HTML for those links :) |
Do you think I should ? It's better for UX, but also not nice for contribution on the source... I contribute on some MkDocs documentation for differents projects and we have a Would be nice to see if we can make it work or if we can found something similar for us. I think it make the best for both UX & code quality. |
|
I think it's okay to use HTML as needed. Markdown is meant to extend HTML to make it faster, but not to replace it. I did it for the PDFs: https://github.com/neuropoly/neuro.polymtl.ca/blob/f2f7cabb32b3ca0ef1649a9e8fd0f8841d3d54ad/research/rf-and-shim-coil-design.md?plain=1 And we use it for the calendar embed: https://github.com/neuropoly/neuro.polymtl.ca/blob/687b24e0e35601142c3985deb29501738446c51b/events-and-workshops.md?plain=1#L8 But in this case, I am leaning weakly towards not using |
I think it's important but the change of syntax is not worth it. HTML part in the middle of the Markdown always create special case and add more work in refactors. Since it's an internal documentation we could expect that people will take time to open in a new tab or do a middle click with the mouse. |
New on-boarding section to leverage awareness on password management and explain good and bad practice example and solution tool.
Note that I made it the first section of the On-Boarding, I think it's important since newcomers will get password and sensitive information day 1 and I think it's really important they take good habits from start, avoiding keeping grams access on a post-it in their desks for the next 5 years.
Also, I tried to be as generic as possible since it's for everybody. For example I put this little text in place of a paragraph for admin that use
passsince if we begin to add special case the doc will never be updated accordingly and will become more and more complex with the time:Feel free to discuss the content, I tried to make a logic architecture but I didn't got any return on it for the moment.
Actual rendering: updated on July 25th 2022 - 6:24PM
Fixes #35