From 3328210d9d7a83d7d56b6e3bbdbb624ee937d450 Mon Sep 17 00:00:00 2001 From: RignonNoel Date: Wed, 20 Jul 2022 13:18:55 -0400 Subject: [PATCH 1/3] add password management documentation --- onboarding/README.md | 1 + onboarding/password-management.md | 59 +++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 onboarding/password-management.md diff --git a/onboarding/README.md b/onboarding/README.md index 99d388f1..47fc4e3a 100644 --- a/onboarding/README.md +++ b/onboarding/README.md @@ -3,6 +3,7 @@ ```{toctree} :maxdepth: 1 getting-started +password-management campus-access infrastructure dropbox-google-drive diff --git a/onboarding/password-management.md b/onboarding/password-management.md new file mode 100644 index 00000000..f146c213 --- /dev/null +++ b/onboarding/password-management.md @@ -0,0 +1,59 @@ +# Password management + +By working in the laboratory you will be close to very sensitive information such as secure access keys and passwords, for personal or group use, allowing you to gain access to servers or critical physical spaces. + +In this context, it is everyone's duty to ensure the security of these sensitive information throughout its use and you should take this responsibility in account in all your actions and decisions. + +For example: + + - Taking a picture inside the lab can lead to sensible information leaking on social's network due to some computer screen, note or post-it in the background of the picture + - Committing files on git without reread can lead to sensible information leaking on the cloud due to config file containing password or keys + +Although we cannot have total security, simple practices and awareness of laboratory members can already avoid a lot of problems. + +## Storage of the sensitive information + +Polytechnique Montreal does not provide a secure password system within the university, this responsibility is therefore distributed to each member of the laboratory. + +**You should:** + + - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. + +**You should not:** + + - Keep sensitive information on physical paper (post-it, printed paper) + - Keep password in clear inside a file in your computer. + - Keep password in clear on a cloud storage (Google Drive, Evernote, ..). + - Keep password in Git repositories + +In place try to save the sensitive information inside a protected password manager and destroy the physical paper. + +## Sharing of the sensitive information + +The sharing of the sensitive information is as much important as the storage of them since it could result in a leak of security. + +**You should:** + + - Use a shared password vault (ie: `Passbolt`, `dashlane`, `lastpass`, ..). + - Discuss this solution with your coworker to see if one already exist or to create a new one that match your needs. + - Use an encryption method to share only the encrypted password. + - Manual encryption (ex: private/public key). + - End-to-end encryption method like `signal` application. + +**You should not:** + - Share password on Slack. + - Share password by email. + - Share password on papers. + - Share password on Github. + +## Deletion of the sensitive information + +Deleting sensitive information is most of the time the forgotten step in the information lifecycle. It is however a crucial step since it is what allows us to ensure that the information will never be more accessible and that we can no longer worry about it. + +**You should:** + + - Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity). + +**You should not:** + + - Put paper containing sensitive information in the trash without making it unreadable beforehand. From 875c2796a3b86849f3600859851cecb9b3336235 Mon Sep 17 00:00:00 2001 From: RignonNoel Date: Wed, 20 Jul 2022 13:19:10 -0400 Subject: [PATCH 2/3] add IntelliJ config file in .gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 15b94014..b367771a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,6 @@ __pycache__/ .DS_Store Thumbs.db + +# IDE custom config file +.idea From a8b1c6e7386383f9118f7ceb28d4ca05f98a0bc0 Mon Sep 17 00:00:00 2001 From: RignonNoel Date: Mon, 25 Jul 2022 18:23:46 -0400 Subject: [PATCH 3/3] integration of Kousu feedback --- onboarding/password-management.md | 49 +++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/onboarding/password-management.md b/onboarding/password-management.md index f146c213..63f52d62 100644 --- a/onboarding/password-management.md +++ b/onboarding/password-management.md @@ -11,49 +11,68 @@ For example: Although we cannot have total security, simple practices and awareness of laboratory members can already avoid a lot of problems. -## Storage of the sensitive information +```{note} +In the following documentation, the word "password" is used for any "secret" phrase, like "secret key", +"secret tokens", "password" or "passphrase" that help to gain access to private access. Sensitive information +of research (patients data, NDA covered data, etc..) are not covered by this documentation. +``` -Polytechnique Montreal does not provide a secure password system within the university, this responsibility is therefore distributed to each member of the laboratory. +## Storage of the passwords + +Polytechnique Montreal does not provide a secure password system within the university, but NeuroPoly expects members of the laboratory will use password managers for all accounts granted as part their work with us. **You should:** - - Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`. + - Use a unique password for each account. + - A good password manager will help you do this, and you shouldn't even have to memorize each password. + - Use an encrypted password manager like [KeyPass](https://keepass.info/), [Passbolt](https://www.passbolt.io/), [Google password](https://passwords.google.com/) or [Dashlane](https://www.dashlane.com/). **You should not:** - - Keep sensitive information on physical paper (post-it, printed paper) - - Keep password in clear inside a file in your computer. - - Keep password in clear on a cloud storage (Google Drive, Evernote, ..). - - Keep password in Git repositories + - Keep passwords on physical paper (post-it, printed paper) + - Keep passwords in clear inside a file in your computer. + - Keep passwords in clear on a cloud storage (Google Drive, Evernote, ..). + - Keep passwords in Git repositories -In place try to save the sensitive information inside a protected password manager and destroy the physical paper. +In place try to save the passwords inside an encrypted password manager and destroy the physical paper. -## Sharing of the sensitive information +## Sharing of the passwords -The sharing of the sensitive information is as much important as the storage of them since it could result in a leak of security. +The sharing of the passwords is as much important as the storage of them since it could result in a leak of security. **You should:** + - Always try to use per-user account if it's available and share access by adding other members into the team/group + - Ex: Youtube, Github, DigitalOcean - Use a shared password vault (ie: `Passbolt`, `dashlane`, `lastpass`, ..). - Discuss this solution with your coworker to see if one already exist or to create a new one that match your needs. - Use an encryption method to share only the encrypted password. - Manual encryption (ex: private/public key). - End-to-end encryption method like `signal` application. + - Use a third-party encryption service like [privnote](https://privnote.com/) or [dpaste](https://dpaste.org/) + - Note that these sites could be a risk if their owners decided to exploit us, they are "accepted" solution **You should not:** - Share password on Slack. - Share password by email. - Share password on papers. - - Share password on Github. + - Share password or secret keys/tokens on Github. + +## Deletion of the passwords -## Deletion of the sensitive information +Deleting passwords is most of the time the forgotten step in the information lifecycle. It is however a +crucial step since it is what allows us to ensure that the information will never be more accessible and +that we can no longer worry about it. -Deleting sensitive information is most of the time the forgotten step in the information lifecycle. It is however a crucial step since it is what allows us to ensure that the information will never be more accessible and that we can no longer worry about it. +```{warning} +This section does not cover data of research like ML data or patient sensitive information. We are speaking +about passwords like the one you get from polytechnique on your first days or that people shared with you on paper. +``` **You should:** - - Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity). + - Destroy papers containing passwords (crusher or fire depending on the level of sensitivity). **You should not:** - - Put paper containing sensitive information in the trash without making it unreadable beforehand. + - Put papers containing passwords in the trash without making it unreadable beforehand.