When signing up for a new service ask yourself which team members you need to share access with. There are three types of account access for these services, Individual, OAuth, and Single. All Individual and OAuth account services have a secure note in the 'Shared' vault. This note lists the administrators you can contact to gain access to the service for Individual services or lists the account you can use to get access for OAuth services. During onboarding you should be added to all relevant Individual services by default.
Individual services (created manually per person, such as our Google accounts): keep your credentials to yourself by storing them in your 'Personal' vault in the GitLab 1password account.
OAuth services (authentication through GitLab or Google accounts, such as for grafana).
Single services (services that don't allow individual accounts or where it is too expensive): store the credentials in an appropriate company 1Password vault ('Shared' or otherwise) so that your colleagues can sign in using the same credentials.
If 2FA should be on for the new user account, make sure to store recovery codes in the login, and use 1Password TOTP.
If you need to give more people access to credentials move them to a vault that they can access. Never duplicate credentials! If needed put them in the 'Shared' vault that the whole company can access or make a suggestion to create a new vault in the "1Password Shared Folders" Google Sheet. Do not share passwords on a per person basis by sharing them via 1Password, this makes it hard to reason about the sharing and doesn't change when the responsibilities change.
Do not copy passwords from inside a 1Password vault to a personal password vault or other password store. 1Password should be the only password vault used for teams. Team passwords should not be duplicated and potentially exposed to compromise in personal password vaults.
When asked security questions (what is your favorite pet, etc.) do not answer truthfully since that is easy to research. Make up an answer and write both the question and answer in 1Password.
Do not share credentials via email, issue comments, chat etc. This includes email addresses to login and API keys. Use 1Password vaults for this. You will be invited to applicable vaults after joining the company.
If you want to see your vaults or ask to be added to a new one please leave a comment in the "1Password Shared Folders" Google Doc.
Refer to the items with NAME_OF_SITE credentials in VAULT_NAME. For example: "for access please see the AOL credentials in the Luddite vault".
Do not store credentials in a vault if everyone has their own user account for the service.
Do not let your password manager store the master password. It is okay to store the login.
Do not allow your web browser (e.g. Chrome, Safari) to store passwords when prompted. This presents an unnecessary risk and is redundant as 1Password should serve as the sole password management application.
Enable two-factor authentication (2FA) with 1Password TOTP for your Google, Slack, GitLab.com, and dev.gitlab.org accounts.
You can also consider using a Yubikey with GitLab.
Use Full-Disk Encryption on your work computer and phone. Mac users may use FileVault (for details, refer to Apple Support) and GNU/Linux users may use LUKS (for the basic idea, refer to the Arch Linux Wiki). Closing the lid of your laptop, and thus suspending it to RAM, does NOT protect you, even if your hard drive is encrypted. Power off your computer completely (don’t just suspend it) when you think it’s at risk of falling into someone else’s hands, like right before going through customs when entering a new country. This defends against memory-based attacks. Read more on the matter in this article.
Set up a screen saver with password lock on your laptop. The timeout can depend on how you use your laptop.
Never leave your unlocked computer unattended. Activate the screensaver, lock the desktop, or close the lid.
If you like to backup your computer make sure the backup drive is encrypted and use a strong password.
Never dismiss a security report as invalid. Keep asking questions until the researcher comes to the same conclusion or stops responding.
Do not forward company emails (@gitlab.com) to a non-company email address.
Do not click on links in emails you did not request yourself (requested password reset is OK, anything else is suspect). Exception: During the onboarding process you may receive account registration emails for various services GitLab uses. Before clicking these links confirm with People Operations that they initialized the process. Clicking itself is a problem even when you don't enter a password, because a visit can already be used to execute a 0-day attack. We simulate phishing attacks by having an external service send emails to our company email addresses to ensure everyone is aware of the threat.
Do not install software with many known security vulnerabilities (as listed in the handbook). When in doubt, do not install until after checking with the team by discussing in an issue, and then document the verdict in the handbook.
1Password is a password manager. Ideally you memorize one strong password - hence the name - and let 1Password generate and manage strong, unique passwords for every site for which you have a login.
Following this guide, it will be helpful to understand a few terms we'll be using throughout.
App: A native 1Password application (OSX, iOS, Windows, Android).
Extension: A web browser extension/plugin that communicates with the App to provide access to your passwords securely without leaving the browser.
Vault: What 1Password calls any grouping of secure data, such as logins or secure notes. Sometimes called a "keychain".
1Password can be used in two different ways - as a standalone application (by purchasing a standalone license) or as a hosted service (by subscribing). GitLab uses 1Passwords for Teams which is a hosted service.
1Password for Teams stores all Vaults on the 1Password servers and allows for sharing between multiple people on the same team.
Everyone at GitLab should already be signed up for our Teams account. This gives you access to the web interface, allowing you to view the Vaults we've configured and given you access to.
In addition to the shared vaults such as Shared, Support, Marketing, each member of the team has a vault called Personal which only you can see, and allows you to store personal credentials within our team's account.
To really get the full benefit of 1Password, you'll need to hook our Teams account up to one of the native apps.
Adding the GitLab Team to a 1Password app
This guide will cover setting up the OSX app. It's their lead platform and is the most up-to-date. These instructions may or may not work for the Windows version.
Click "Sign in to your 1Password account" button. If there is no such button please follow the instructions for updating 1Password.
Now you'll need the Emergency Kit PDF that 1Password told you to save when you registered your Teams account.
If you saved it as a digital PDF file:
Open the PDF file
Click Scan QR Code
Drag the scanner window over the QR code on the PDF sheet
If you printed the PDF:
Click Sign In Manually
For Team URL enter gitlab.1password.com
For Account Key enter the Account Key from your Emergency Kit
For Email Address enter your @gitlab.com email
For Master Password enter the password to your Teams account (not the password you created above when you chose "I'm a new user")
After the Team is added, you should see some notifications about vaults being added to 1Password. By default you'll have Shared and Personal, and may have access to others.
Updating 1Password to support the Teams feature
Read this section only if you could not follow the instructions in "Adding the GitLab Team to a 1Password app" section.
At the prompt, choose "I'm a new user". Note: This is one source of confusion. "I created my Teams account, I'm not new!" Just go with it.
Enter a master password, confirmation, and hint. This can (and should) be different from the password you used for our Teams account. This password gates access to your local, private Vault on your computer and/or phone.
Skip over the remaining dialogs (syncing, newsletter, etc.)
You should now have an empty vault called Primary.
Because the Teams feature is not available in your current version of 1Password, we need to update the app to the latest version:
Go to Preferences
Go to Updates
Click Check Now
Install the update and relaunch
After relaunch, go to Preferences again
Go to Teams
Click the + icon
Click the Vault Selector in the upper-left corner of the window:
Personal is your remote, private vault that is synced to the GitLab 1Password for Teams account, and can not be viewed by anyone else on the team, including admins.
Shared is a vault that everyone on the GitLab Teams account has access to both read and write.
Go to Browser extensions and install the extension for whatever browser you're using. You should not need a beta version here.
With the extension installed, you should be able to go to a site that has credentials stored in our Team vault and log in:
If you don't see the site listed in the results window, make sure you're using the correct vault:
When 1Password detects a login form submission, it may ask if you want to save the login with a dialog like this:
If you do want to save it, make sure the appropriate Vault is selected first.
This means that if you are planning to use both GitLab team account and a separate individual account you should first sign in to the individual account. By doing this you will be able to unlock 1Password app using Master Password of the individual account.
1Password for your private passwords
You are encouraged to use 1Password for your private passwords, not related to your work at GitLab. This makes it less likely for a security breach to occur. You can purchase a standalone license or start an individual subscription. While under the GitLab team subscription, it is also possible to create and use a personal local vault (same features of a standalone license, without the cost).
Please bear in mind that if you decide to purchase a standalone license or create a personal local vault, your data is stored only in a local folder on your computer. You can optionally sync this folder to Dropbox or iCloud (if you are using a Mac/iOS) to make it available on your phone's 1Password app, or on another computer.
Signing up for a subscription seems to be the solution now recommended by the company behind 1Password.
To create a personal local vault:
Go to Preferences
Go to Advanced
Under Local Vaults, check Allow creation of vaults outside of 1Password accounts
Enter your Master Password
A new local vault (Primary) is created outside the GitLab team account
If you want to setup sync for your new local vault, go to Preferences > Sync
Two Factor Authentication and Time-based One Time Passwords
There are several ways to get your Two Factor Authentication (2FA) codes. You can get them sent via SMS or use an app like Google Authenticator to generate them. 1Password provides an alternative solution that does not require using your smartphone: 1Password Time-based One Time Passwords (TOTP). 2FA codes are displayed directly in the 1Password app running on your laptop.
To enable TOTP for a saved account:
Open 1Password app
Go to the item for which you want to set up TOTP
Click Edit in the bottom right corner
Click 3 dots icon
Select One-Time Password
Click QR code icon that appeared
Scan QR code using the transparent window
2FA code should be displayed now
Please refer to the 1Password blog for more information on how TOTP works.
If scanning of QR code using the tranparent window with 1Password Mac app fails on a recent Mac OS, please consider to use 1Password iOS app which could do the same and support Touch ID to login.
This is an example of how Robert, one of our developers, uses 1Password:
Once you fully commit to using 1Password to manage all of your security information, it really does make life easier.
I memorize one strong password and let the app generate everything else. Every site I use has a unique password that I can't compromise because I don't even know it, and a hacked site can't compromise it because the password is never re-used on another site.
I store my shipping and credit card info in 1Password and use the browser extension to quickly fill out shipping and billing information on shopping sites.
I store my passport data, along with a digital scan, in 1Password; drivers license info and scan; insurance info; software license keys; any important information that needs to be secure but still easily accessible when I need it, from anywhere. I sync my personal vault to my personal Dropbox so it's available on my phone, tablet, laptop, and desktop.
Even my 1Password for Teams account information is stored in my personal Primary vault, with the Emergency Kit PDF as a secure attachment:
I have no idea what the password is. I've never actually typed it. And that's the idea.
Security Awareness Training
During their first two weeks at GitLab new team members should receive an email with links to Security Awareness Training. This training covers how to recognize phishing attacks, how to safely use public wireless networks, and some general security tips and principles.
GitLab conducts routine phishing tests using a third-party testing platform. All team members will occasionally receive emails that are designed to look like legitimate business-related communications but will in actuality be simulated phishing attacks. Real phishing attacks are designed to steal credentials or trick the recipient into downloading or executing dangerous attachments. No actual attempts will be made by GitLab or the third-party testing site to steal credentials or execute malicious code.
The goal of these campaigns is not to catch people clicking on dangerous links or punish those who do, but rather to get people thinking about security and the techniques used by attackers via email to trick you into running malicious software or disclosing web passwords. If you fall victim to one of these simulated attacks feel free to take the training courses again or to ask the security team for more information on what could've been done to recognize the attack. What you shouldn't do is feel any shame for having clicked on the link or entered any data, nor should you feel like you need to cop to the security team and let them know you made a mistake. Making a mistake online is practically the reason the Internet was invented.
What to do if you suspect an email is a phishing attack
Whether you believe that you have received an email from our testing platform or you believe you have received a real phishing attempt, the best thing to do is to delete the email. GMail also offers the option to report the email directly to Google as a phishing attempt which will result in its deletion. If you suspect that the email is targeted specifically at you or GitLab, please notify the security team so it can be investigated. You can also notify other team members via Slack. If you forward the phishing email to the security team please do so as an attachment and not inline. To forward the email as an attachment from inside GMail:
In the reply options choose "show original"
Choose "download original"
Save to your local drive or Google Drive
Create a new email with the saved email as an attachment
If you receive an email that appears to come from a service that you utilize, but other details of the email are suspicious – a private message from a sender you don't recognize, for example – do not click on any links in the email. Instead, use your own bookmark for the site or manually type the address of the website into your browser.