Meiro User Security Guidelines
Last Updated: May 22, 2019
Cyber security is like a fire drill: people do not take it seriously enough. And just as with fires, people do not feel that anything harmful could happen to their computers or data – until something actually does. In this guideline, we define a set of security rules and habits that Meiro* employees and subcontractors are to strictly follow and that we highly recommend our users to adapt to ensure that their computers and data are protected when working with Meiro products. And on the internet in general, of course.
1. Password Manager
Access to a password manager
The password manager enables users to store various account credentials as well as other sensitive information in a virtual vault that is kept locked behind a master password.
The password manager of choice at Meiro is 1Password. Every employee and contractor of Meiro is required to use 1Password as this is not only where important and relevant credentials are stored but also where they are sometimes shared.
It is essential that you store all your work credentials (e.g. your work email, login credentials to accounts , various instances of Meiro Integrations and Meiro CDP) in a private vault in 1Password.
1Password provides browser extensions, among other things, that make it easy for you to save your credentials and sign into your accounts with a single click. 1Password has two extensions for most browsers that you can use but we find that out of the two, 1Password X is the best as you would not require a desktop app for it and its UI is much cleaner.
Password and security key to your password manager
Your password manager is the single most important piece of software that you can have, so it’s crucial that you set a strong password that is unique and not used anywhere else. Here are a few pointers in creating a secure password:
- You will want to choose a password that is easy to remember but not too easy for others to guess. This can be in the form of a sentence that is easily memorised and that only you will know (e.g. a summary of a significant event or a description of your favourite place).
- Make sure your password is at least 12 characters long. A password’s strength lies in its length.
- Capitalize two or more of your password characters but do try to avoid typically capitalizing the first or last character.
- Include special characters such as numbers, punctuation or ampersands. Look for places in your password where these special characters can make sense (e.g. replacing ‘for’ with 4).
Do NOT save your emergency kit containing your 1Password (or any other password manager) credentials and secret key on your computer or in the cloud. You can either print out your emergency kit and/or save your emergency kit in a USB flash drive that you can keep in a secure place in your own home.
When and when not to share credentials using your password manager
Whenever you or your co-worker require access to a software or website, always create individual accounts wherever possible. For example, you do not need to share your JIRA credentials with another person but simply invite them to JIRA as a separate user.
In situations where you absolutely need to share credentials (e.g. databases, accounts that do not support multiple users like Instagram or Twitter), do so by using a shared vault in password manager.
2. Multi-factor authentication everywhere
Adopt the practice of enabling multi-factor authentication when signing into your accounts wherever possible, and do not solely rely on using passwords alone.
Multi-factor authentication (MFA) is a method of verifying a user’s identity by requiring them to present more than one piece of identifying information to an authentication mechanism. It adds an extra layer of security on top of your username and password and significantly reduces the chances of your credentials becoming compromised in the event of a data breach.
While the Google Authenticator app may seem like the most popular authentication app, we recommend that you use Authy as a better alternative instead.
Authy functions just like Google Authenticator but unlike the Google Authenticator, Authy provides multi-device support and allows you to make backups to the cloud (this second feature is especially handy if you ever lose your phone or you have to switch to a new phone).
You can read more about Authy’s advantages over Google Authenticator at this link here.
3. Backup of keys to various software/apps
Even if you have enabled multi-factor authentication across your devices and already installed Authy , we still emphasise the importance of keeping a backup all of the security/secret keys to various applications when prompted.
As mentioned previously, keep your backups on an external USB flash drive and/or print the keys out that you keep in a safe location around your home or with you.
4. Disk encryption
Disk encryption refers to the cryptographic method of encrypting your entire hard drive including your data, files, your computer’s operating system and software programs.
A full disk encryption is the digital equivalent of putting a deadbolt on your data. Just as how locking all entrances to your home prevents intruders from breaking in, disk encryption prevents unauthorized persons from accessing your data stored on your computer.
This means that if you have accidentally left your laptop behind in your Uber driver’s car or it gets stolen, that person wouldn’t be able to access your data without your help. Full disk encryption is one of the most important tools that you can use in protecting the data on your computer.
Most operating systems have a built-in disk encryption function that is only enabled when the user permits that option. Here is how you can enable the full disk encryption system on the following operating systems:
5. Compartmentalize your personal and work emails
Separate your personal and work identities on your computer to avoid identity mix-ups and putting sensitive data at risk by using multiple browser windows for multiple Google accounts.
If Google Chrome is your default browser, you can also create different Chrome profiles for different accounts.
For Firefox users, you create multiple accounts through their Multi-Account Containers extension.
Please don’t use your personal email for work and vice versa
Do not register personal services with your work email. Do not register work-related services and tools with your personal email.
You don’t want an ethical or legal quandary on your hands.
6. Enable a PIN, fingerprint identification or password on your digital devices
Enabling some form of protection for all your digital devices prevents others from easily accessing sensitive or confidential information.
7. Log out
When you’re not using an online service, log out. Lock your computer if you’re leaving it unattended, even if for just a while.
8. Use public/private keys to access servers and not passwords
Do not use passwords when accessing servers. Use public keys instead.
A public key is a computer-generated cryptographic key that is used to turn a message into an unreadable format. Decryption can only be carried out by using a second computer-generated key known as the private key.
Public and private keys are paired to enable secure communication. Public keys are stored on the server that you log into while private keys are stored on your computer.
Due to its cryptographic strength, public keys are more difficult to hack than passwords. They also allow users to use a single key pair to access multiple SSH servers that they are able to connect to.
You can learn more about public key authentication and how to set up this authentication here.
9. Backup your computer
This point has been reiterated throughout this article but it still bears repeating: always, always, always do a backup.
Here’s a mental exercise to conclude this guideline:
Picture this grim possibility: Your computer gets stolen. What do you do? Where is your data backed up currently? How recent was your last backup? How are you going to access your 1Password (or any other password manager) on your new device? Where have you saved your security key to authenticate this new device?
Your answers should form a cohesive Plan B. Now go one step further and turn that plan into reality.
*Meiro means Meiro Pte. Ltd. (Company Registration No. 201716898D), Singapore.