Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nr/how to manage password #66

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Nr/how to manage password #66

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3328210
add password management documentation
RignonNoel Jul 20, 2022
875c279
add IntelliJ config file in .gitignore
RignonNoel Jul 20, 2022
a8b1c6e
integration of Kousu feedback
RignonNoel Jul 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,6 @@ __pycache__/

.DS_Store
Thumbs.db

# IDE custom config file
.idea
1 change: 1 addition & 0 deletions onboarding/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
```{toctree}
:maxdepth: 1
getting-started
password-management
campus-access
infrastructure
dropbox-google-drive
Expand Down
59 changes: 59 additions & 0 deletions onboarding/password-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Password management

By working in the laboratory you will be close to very sensitive information such as secure access keys and passwords, for personal or group use, allowing you to gain access to servers or critical physical spaces.

In this context, it is everyone's duty to ensure the security of these sensitive information throughout its use and you should take this responsibility in account in all your actions and decisions.

For example:

- Taking a picture inside the lab can lead to sensible information leaking on social's network due to some computer screen, note or post-it in the background of the picture
- Committing files on git without reread can lead to sensible information leaking on the cloud due to config file containing password or keys
RignonNoel marked this conversation as resolved.
Show resolved Hide resolved

Although we cannot have total security, simple practices and awareness of laboratory members can already avoid a lot of problems.

## Storage of the sensitive information

Polytechnique Montreal does not provide a secure password system within the university, this responsibility is therefore distributed to each member of the laboratory.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be made more persausive

Suggested change
Polytechnique Montreal does not provide a secure password system within the university, this responsibility is therefore distributed to each member of the laboratory.
Polytechnique Montreal does not provide a secure password system within the university, but NeuroPoly expects members of the laboratory will use password managers for all accounts granted as part their work with us.


**You should:**

- Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`.
Copy link
Member

@kousu kousu Jul 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also: 1password, Bitwarden. What are the other popular ones?

I know at least a couple of the linux people use KeyPassXC over KeyPass. It's solid, though it doesn't sync nicely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really want to put a FULL list of options ? I think people should be able to do research or open discussion with IT guys that know the area. I don't think adding more and more item in the list will make it more clear for newcomers, however we could select the best 3-4 we really would like to push in intern in place of my actual random list.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should have links to their websites, so people can choose a product if they aren't already using one.

Copy link
Member

@kousu kousu Jul 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Use a protected password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`.
- Use an encrypted password manager like `KeyPass`, `Apple's keychain`, `Google password` or `Dashlane`.


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somewhere in here we should add

Suggested change
**You should**:
- Use a unique password for each account. A good password manager will help you do this, and you shouldn't even have to memorize each password.

because one of the most common ways data breaches happen is via password reuse. And I know multiple people in the lab reuse their passwords.

**You should not:**

- Keep sensitive information on physical paper (post-it, printed paper)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to distinguish "sensitive information" and "passwords".

There's a plan to make everyone sign an NDA to cover the non-open medical data. Also school policy already says in several places that data should not be disclosed unless authorized, not that we currently make people read those policies during onboarding. That is "sensitive information", but trying to cover all that on this page is going to be too much.

Maybe in the future we will have a page for data protection guidelines (including the NDA?), and we can preface this page with "Everyone is responsible for link-to-data-protection-page. Part of that protection is protecting your accounts and their passwords, to prevent their theft or misuse."

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, this line should just simply read

Suggested change
- Keep sensitive information on physical paper (post-it, printed paper)
- Keep passwords on physical paper (post-it, printed paper)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points, I wanted to use a more generic terms to avoid keeping away secret keys or things like that since some people don't see them as password when they read the terms.

I will try to define the terms password at the top in the introduction and review the full page after that to match it.

- Keep password in clear inside a file in your computer.
- Keep password in clear on a cloud storage (Google Drive, Evernote, ..).
- Keep password in Git repositories

In place try to save the sensitive information inside a protected password manager and destroy the physical paper.

## Sharing of the sensitive information

The sharing of the sensitive information is as much important as the storage of them since it could result in a leak of security.

**You should:**

- Use a shared password vault (ie: `Passbolt`, `dashlane`, `lastpass`, ..).
- Discuss this solution with your coworker to see if one already exist or to create a new one that match your needs.
- Use an encryption method to share only the encrypted password.
- Manual encryption (ex: private/public key).
- End-to-end encryption method like `signal` application.
Comment on lines +50 to +51
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are good, but maybe too difficult for some people. In a pinch I usually reach for https://privnote.com -- it encrypts and forgets -- or https://dpaste.org/ with the expiry set to one-time. These sites are obviously a risk if their owners decided to exploit us, but they would have to take an interest in us first.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's also meeting up in person! That's probably better than anything digital!

Copy link
Member

@kousu kousu Jul 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And in many cases we can use ACLs instead of sharing passwords. We should really really emphasize that: you don't need to share a password if you can have your account added to a team like we do with DigitalOcean, GitHub, Google Groups, the Youtube Brand accounts, the shared smb://duke drive that people access using their (individual) GRAMES accounts., etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm OK with the third party tool even if it's important to emphasize that they are potential threat, so people know it's the easy but not totally secure way.

ACL is clearly the top-one solution, I will add it.

For meeting in person IDK if we should add it because it open a large number of case:

  • If the password is easy it's ok, but it will become hard to sync if it change and the problem repeat itself
  • If the password is hard, they will need to copy/paste it and it open all the physical security area that I think we prefer to avoid inside the lab (USB key, drive, network communication is clearly complex to explain to normal users)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dope, merci.


**You should not:**
- Share password on Slack.
- Share password by email.
- Share password on papers.
- Share password on Github.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worthwhile to emphasize that tokens -- like Slack tokens for bots -- are also passwords. Several repos in the past have had credentials uploaded directly to them; https://github.com/neuropoly/meeting_reminder_bot/ doesn't, but it expects you to fill in credentials in its source code, so that should tell you where our thinking as a lab has been at. This is a common mistake organizations make when trying to automate their workflows.


## Deletion of the sensitive information

Deleting sensitive information is most of the time the forgotten step in the information lifecycle. It is however a crucial step since it is what allows us to ensure that the information will never be more accessible and that we can no longer worry about it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this section should be deleted, in order to keep this page focused on passwords. This is an important observation, but would fit better in a general data-protection.md page.

I worry it's risky to mention deletion here, because some data we absolutely want to archive, especially data that was used for training ML models, and some data we want to archive but only until our ethics agreements for them expire. The choices about what and when to delete data are something I would leave up to the responsables.

Really, all you're saying here is "if someone gives you a password on paper, burn it once you've used it"?


**You should:**

- Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sensible means more like logique

Suggested change
- Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity).
- Destroy paper containing sensitive information (crusher or fire depending on the level of sensitivity).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh but also it would be good to keep this page hyperfocused on passwords, so:

Suggested change
- Destroy paper containing sensible information (crusher or fire depending on the level of sensitivity).
- Destroy papers containing passwords (crusher or fire depending on the level of sensitivity).


**You should not:**

- Put paper containing sensitive information in the trash without making it unreadable beforehand.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Put paper containing sensitive information in the trash without making it unreadable beforehand.
- Put paper containing passwords in the trash without making it unreadable beforehand.