Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nr/how to manage password #66
base: master
Are you sure you want to change the base?
Nr/how to manage password #66
Changes from 2 commits
3328210
875c279
a8b1c6e
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be made more persausive
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also: 1password, Bitwarden. What are the other popular ones?
I know at least a couple of the linux people use KeyPassXC over KeyPass. It's solid, though it doesn't sync nicely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really want to put a FULL list of options ? I think people should be able to do research or open discussion with IT guys that know the area. I don't think adding more and more item in the list will make it more clear for newcomers, however we could select the best 3-4 we really would like to push in intern in place of my actual random list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should have links to their websites, so people can choose a product if they aren't already using one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somewhere in here we should add
because one of the most common ways data breaches happen is via password reuse. And I know multiple people in the lab reuse their passwords.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be good to distinguish "sensitive information" and "passwords".
There's a plan to make everyone sign an NDA to cover the non-open medical data. Also school policy already says in several places that data should not be disclosed unless authorized, not that we currently make people read those policies during onboarding. That is "sensitive information", but trying to cover all that on this page is going to be too much.
Maybe in the future we will have a page for data protection guidelines (including the NDA?), and we can preface this page with "Everyone is responsible for link-to-data-protection-page. Part of that protection is protecting your accounts and their passwords, to prevent their theft or misuse."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now, this line should just simply read
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good points, I wanted to use a more generic terms to avoid keeping away
secret keys
or things like that since some people don't see them as password when they read the terms.I will try to define the terms
password
at the top in the introduction and review the full page after that to match it.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are good, but maybe too difficult for some people. In a pinch I usually reach for https://privnote.com -- it encrypts and forgets -- or https://dpaste.org/ with the expiry set to one-time. These sites are obviously a risk if their owners decided to exploit us, but they would have to take an interest in us first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's also meeting up in person! That's probably better than anything digital!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And in many cases we can use ACLs instead of sharing passwords. We should really really emphasize that: you don't need to share a password if you can have your account added to a team like we do with DigitalOcean, GitHub, Google Groups, the Youtube Brand accounts, the shared smb://duke drive that people access using their (individual) GRAMES accounts., etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm OK with the third party tool even if it's important to emphasize that they are potential threat, so people know it's the easy but not totally secure way.
ACL is clearly the top-one solution, I will add it.
For meeting in person IDK if we should add it because it open a large number of case:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dope, merci.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be worthwhile to emphasize that tokens -- like Slack tokens for bots -- are also passwords. Several repos in the past have had credentials uploaded directly to them; https://github.com/neuropoly/meeting_reminder_bot/ doesn't, but it expects you to fill in credentials in its source code, so that should tell you where our thinking as a lab has been at. This is a common mistake organizations make when trying to automate their workflows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this section should be deleted, in order to keep this page focused on passwords. This is an important observation, but would fit better in a general
data-protection.md
page.I worry it's risky to mention deletion here, because some data we absolutely want to archive, especially data that was used for training ML models, and some data we want to archive but only until our ethics agreements for them expire. The choices about what and when to delete data are something I would leave up to the responsables.
Really, all you're saying here is "if someone gives you a password on paper, burn it once you've used it"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sensible means more like logique
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh but also it would be good to keep this page hyperfocused on passwords, so:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.