1Password

Hero image for 1Password
  • Speaking of secrets management, Vault by Hashicorp has always been the go-to place for all Nimble team members for a while.
  • Using Vault wasn’t too hard but managing it costs us a decent amount of effort: from hosting to security, upgrading and managing SSL certificates for our team usages.
  • We have been using it well without any major incident, but due to the lack of tools provided to integrate with other platforms that most of us use daily (Android or iOS phones, browsers, etc.), it’s time for us to move to a better place that saves us a bit of effort every day and which has, at the same time, a much nicer user experience.
  • We are shutting down the existing vault.nimblehq.co as our Password Manager and we will replace it with a better tool, while still using the same address.

Meet 1Password

  • 1Password is a Password Manager that provides us space for keeping our secrets and sharing them among our teammates with a fine-grained level of permissions.
  • It provides more tooling integrations that help us to save time from memorizing our passwords, secret files or switching over to our vault to lookup and then perform a copy/paste action.
  • It also provides the Watchtower feature that notifies our team when it finds weaknesses from our passwords. The reasons could be:
    • Reusing the same passwords in multiple places.
    • Passwords are not complex enough.
    • Passwords have been compromised somewhere else.

For a complete introduction of 1Password head 👉 HERE.

Our 1Password workspace

  • Everyone at Nimble gets an invitation to join the workspace on the first day or you can request to join our 1Password team here https://nimble.link/security/. Only @nimblehq.co emails will be able to join.
  • For 3rd parties that need access to our vaults, we can have up to 5 guests. Guest access is restricted to a single vault.
  • Sign in after you have joined here https://nimble.1password.com.
  • After joining the Nimble workspace, all members can access our General vault, which is called ‘Nimble - General.
  • A Private vault will be created for your personal use as well. It means nobody can have access to it besides yourself (not even administrators or owners), so feel free to make use of it for your private credentials.

    Your Private vault

Install 1Password

  • In addition to accessing directly from the website, 1Password also provides helpful apps for our needs:
    1. 1Password Chrome Extension, Firefox Add-ons, Safari
    2. 1Password for Android
    3. 1Password for iOS
    4. 1Password for Desktop
    5. and more. Check out 👉 HERE
  • We suggest that you have at least the browser extension from section #1 depending on your default/preferred browser of choice.

  • Read a secret pair of username and password is very straightforward with the simple GUI provided: either from the website or any other apps: navigate to a specific vault that you have the access to view, retrieve the specific key for your own inquiry purpose.
  • Write a secret item is also simple:
    • Pick the vault
    • Choose the appropriate Template (we will talk more about which template you should use. For now, the most common one you can choose from is Login Template).
    • Enter the username/password, and the website the secret should be applied to for the auto-filling helper to work.
  • Delete action is limited to only the vault’s group of administrators. Only the members with admin role can:
    • Move an Item to Trash (remove items temporarily; it can still be recovered)
    • Empty the Trash (remove items permanently), or
    • Delete a vault - this action requires a higher permission.

Using 1Password

Skip this if you are already familiar with the Password manager tools. If this is the first time you heard about it, please keep reading.

The basic usage:

  • In the web browser, after installing the Extension, you will be redirected to a Sign-in screen

    1Password welcome

  • Click Sign In and pick our Nimble workspace. Enter your Master Password

    1Password Signin

  • You will see this icon on your tool bar (without the lock 🔒 after you have signed in)

    1Password Toolbar

  • Now, when you navigate to a website that requires a Login, say for example: https://teamtreehouse.com/signin - a pop-up will show up to suggest a matching login credential stored in one of the vaults that you have access to.

    1Password Treehouse Example

  • If it doesn’t appear, you can also search from the option on the tool bar:

    1Password Treehouse Toolbar

  • On mobile, you can also receive the same support after installing the 1Password app. When you need to enter credentials, 1Password will suggest to fill-in the fields:

    1Password Mobile

Credit Cards:

The Operations Teams will have the company credit cards in their vault assigned to make it easier while doing online payments. Make sure you select the right card. Most of the websites are supported as shown below: 1Password Credit Card Example

Managing 1Password

This section will guide you on how to add an Item to a vault.

Managing Credentials

  • To add an Item:
    • Pick a vault that you have access to to create an item.
    • Click the Add button and choose the type of item you want to add.

      1Password Add Item

    • Depending on what kind of data you have, you can choose the item type accordingly:
      • The basic type is Login.
      • For Documentation or SSH Keys, choose Document.
      • For API Secret ID and Secret Password, choose an API Secret.
    • To add a basic username/password pair, choose Login. Then fill in the 4 most important fields:
      • Title.
      • username.
      • password.
      • website.

      1Password Add Login

    • To add an SSH Key, you must keep them as a Document to ensure the integrity. Simply choose Document type, give it a name and drag the key to upload.

      1Password Add Document

    • For an API Secret to a platform, choose API Secret and fill in:
      • title
      • client_id
      • client_secret
      • url

      1Password Add API Secret

    • For AWS service particularly, we have the AWS Secret item, you will need to fill in:
      • access_key
      • access_secret
      • service

      1Password Add AWS Secret

Admin Management

This section will guide you on how to manage content on 1Password as an administrator.

Vault

  • The naming convention must follow the pattern {Organization} - {Location?} - {Domain}. For example:
    • Nimble - General
    • Nimble - People Operations
    • Nimble - Thailand - Office Operations
    • Nimble - Vietnam - Office Operations
    • {ClientName} - General
    • {ClientName} - Admin
  • Always attach the logo for easier accessibility.
  • Apply Access Permission by Group.
  • Permissions:
    • Admin permissions: full read/write/delete content, but do not allow to manage the vault.

    1Password Admin Permission

    • General permissions: read/write with some limits like no deletion is allowed.

    1Password General Permission

Group

  • A Group is used for grouping members and assigning specific permissions all at once.
  • Naming should follow the 1Password vault’s naming convention. Make it easy to assign people and restrict the permissions accordingly.

    E.g., With a vault named Nimble - General then there must be a group named Nimble - General

  • Always attach the logo for easier accessibility.

Audit

  • The project admin should check the usage report regularly. This is provided on each vault dashboard via the link Create Usage Report

    1Password Usage Report

  • Admin should recheck if there is any unwanted access to any vault/content.

    If you find any suspicious activity, report immediately to the administrator in order to take action.