Password Security

Password Security Crib Sheet

  • Use a password manager and create strong, random passwords.

  • Don't share your passwords with anyone else.

  • Use two-factor authentication for every service that supports it.

Password Security - The Long Version

Please familiarize yourself with Creating Strong Passwords

All of the passwords you create at Glitch should be strong, generated, and distinct. To facilitate this, install and use your password manager of choice for all of your passwords.

Here are some that we like:

FYI you can expense the cost of your password manager!

In addition to the password manager, use 2FA whenever it's possible for you to do so. You may use the 2FA manager of your choice, and here are some that we like:

  • Google Authenticator (app)
  • Authy (app)
  • YubiKey (physical token) [More on this below]

Please avoid using SMS-based 2FA; it's less secure than a dedicated app or physical token.

Where possible we will set technical policies to enforce the use of 2FA. Some services may have no way to enforce it. In such cases, we trust you to follow the policy and enable 2FA.

LastPass: Sharing Passwords and Sensitive Information

Sometimes you have to share passwords and/or sensitive information. We use LastPass to share this information. The features of the unpaid plan are:

  • Access on multiple devices
  • Multi-Factor Authentication
  • Browser Extension with Autofill
  • Password revocation
  • Sharing of hidden passwords
  • Multi-password/Vault sharing

If you need a password/credential in the future, please sign up using your using your @glitch email address. Premium plans are available for reimbursement on a need-based case. To request, please use the Main Request app.

YubiKeys for 2FA

A YubiKey is a physical authentication token that can be used for two-factor authentication instead of using a smartphone authenticator app. Using a physical token is generally more secure. We especially recommend using a YubiKey if you have administrative AWS access, since AWS credentials are particularly juicy targets.

Our recommended YubiKey models support several protocols. They support TOTP, which means you can use it anywhere you would use Google Authenticator; and U2F, which is a newer protocol specifically for physical security keys.

To use a YubiKey, you plug it in to your computer and launch the Yubico Authenticator app; it will then behave similarly to Google Authenticator. However, the cryptographic secrets used to generate your 2FA codes will not leave the YubiKey.

Certain services, such as Google, also support the U2F protocol. This lets you use a security key directly as a second factor for login, without having to type a 2FA code.

Picking a YubiKey

If you already have a previous-generation YubiKey and you're happy with it, feel free to keep using it. If you're getting a new one, you can expense it.

The latest model is the the YubiKey 5, which comes in several form factors: See and look at the Yubikey 5 series (not the Security Key Series). Any YubiKey 5 should work; pick one based on which ports/devices you might use it with. Here are some specific notes:

  • YubiKey 5 NFC: supports USB-A and NFC. Currently, the NFC functionality only works properly on Android. iOS 13 is greatly expanding NFC capabilities, so proper support on iOS might show up later.

  • YubiKey 5C: supports USB-C only.

  • YubiKey 5Ci: This was just released as of August 2019. It has USB-C and Lightning connectors, and supposedly there will be an iOS version of Yubico Authenticator.