Password Manager Onboarding

Hi team!

Welcome to phase one of an exercise intended to help us be more secure as an organisation. There are several actions required on your behalf - this tool should make it very clear what they are, and guide you through them

The purpose of this exercise is two-fold:

1. Protect our organisation from malicious attempts to gain access to company data.
2. Protect sensitive user data from being accessed by anyone outside the organisation and uphold our requirements under local data protection regulations.

In short:

• The most common way that an organisation's data becomes compromised is when someone from outside the organisation gains access to one of the accounts of someone within the organisation.
• We use multiple services for internal collaboration and productivity - these contain lots of user data and sensitive information.
• We are only as strong as our weakest link, and right now there are several hundred potential links between our data and the outside world.
  • These potential weak links are in the form of staff user logins. We have 63 internal users, each with 6 to 7 logins for important services such as Gmail, Asana, Slack, FCC, Metabase, Airtable, Notion. 63 x 7 = 441 passwords.
• The aim of this exercise is to reduce the total number of these logins, and ensure the ones we have are super secure.

Desired Outcomes

1. By the end of this exercise, you should have two secure passwords that you have memorised very well and will not forget. 

These are:

1. The password you use to sign in to your work device(s).
2. The password you use to sign in to your password manager (Lastpass).

2. You should also be very familiar with standard security practice within First Circle, particularly in relation to storing and sharing passwords.

This is laid out below. Please read through this in detail as you will be quizzed on it at our upcoming town hall.

OK, lets get started

Click "Complete Task" and "Next" to continue

ℹ Please read and ensure you are super familiar with the practices below. They are very important to ensure our secure operation as a business. 

Password Sharing

• Where possible, we refrain from sharing passwords unless absolutely necessary. Most services that we use allow us to create individual user accounts for each member, rather than multiple people sharing the same login. Some notable exceptions to this:
  • Cases where creates lots of individual user accounts is unnecessary and creates a very high bill
  • Our internal wifi network - of course the password to this will need to be shared.
• In the event when we need to share a password, we do not, under any circumstances, share passwords with one another in plain view, in plain text. This includes writing passwords into Slack chats or asana tasks, saving them in Evernote notebooks, and writing them down on pieces of paper or printing them out. Methods we can use to share passwords:
  • Use the Lastpass "Shared Folder" functionality.
  • When this is not viable, copy the password from Lastpass into onetimesecret.com and send the generated link to the recipient.

Office Wifi Network

• The password for our main network should never be shared with anyone outside the organisation, for any reason. 
• The password for our main network should never be stored in plain text anywhere - either on paper or on a computer - the only time it should ever be typed into a computer is when it's being entered into the password field.

Work Machines

• Everyone is required to have a password to their main work machine which passes our password security requirements.
• Your work machine should never, for any reason, be left unlocked in a public area. This includes public areas within the office, where customers or external contractors may be present.

Password Strength Guidelines

This step will guide you through the process. Please ensure you read each section carefully and complete the required actions. 

A strong password:

• Is one you do not use for any other services
  • This is because if one of these other services gets hacked, then your email address and password combination will likely be sold and can be tried on all of the services you use.
• Is long - the longer the better
  • This is because longer passwords are difficult to brute force (keep guessing over and over). An optimum minimum length is 15 characters.
• Is memorable to you, but not easily guessable.
  • The most common passwords in the world are: 
    • 123456, Password, 12345678, qwerty, 12345, 123456789, letmein, 1234567
  • As you can see, these passwords contain patterns in numbers and keyboard layout. Do not use a password that does this.

ℹ A trick I've used in the past is to pick a not-very-well-known song lyric that I like, and replace some of the characters with numbers - something like: n3verg0nnag1v3youup. This is long - yes - but easy to remember and type - and the idea is that you don't have to type it very often.

Once you've read the above, click "Complete Task" and "Next" to continue

Warning: Your Lastpass master password is super important. It needs to be very secure, and you also need to remember it because if you forget it, you will get locked out of all of your other accounts too.