Security Guidance
RSS feed
Table of contents

Using 1Password

What is 1Password?

1Password is an online password management tool that we make available to you to help you create, store and share passwords. Using it means you no longer need to remember dozens of passwords, just a single primary password. It keeps all your website logins protected, helps with creating new ‘strong’ passwords and password sharing when required.

1Password is available as a browser extension for popular browsers, as well as a full software suite (for use outside of browsers) for Microsoft Windows and Apple macOS.

1Password securely saves your credentials in your own ‘Vault’ and then offers to autofill those credentials the next time you need them.

The Ministry of Justice (MoJ) has the Business tier of 1Password.

Who should use it?

Currently, MoJ 1Password accounts can be requested by service or operations teams that have a need for shared passwords.

How to get it

Contact the Operations Engineering Team through their Slack Channel, #Ask-Operations-Engineering, or email Operations Engineering to request access.

Make sure you include in your message:

  • which team you’re in
  • your role in your team
  • why you need access

What it can be used for

1Password can be used for sharing passwords within a team, when individual named accounts cannot be created in the service. A good example is running a shared Twitter account.

Note: If you have a business need for a shared Twitter account, consider using a more enterprise-orientated tool for social media posting, such as TweetDeck or Hootsuite. You need formal approval to use tools like these.

Personal use

You should not use your MoJ 1Password account to store personal non-work information as it is a work account belonging to the MoJ. You may lose access if you change role. You will lose access entirely if you leave the MoJ.

Operations Engineering cannot routinely access the contents of vaults but can reset accounts to gain access if there is a good reason to do so.

What it shouldn’t be used for

1Password should not be used for storing personal passwords, or for storing MoJ documents. Use existing approved MoJ services such as Office 365 or Google Workspace for storing MoJ documents.

You should not use 1Password for ‘secrets’ that belong to systems, only credentials to be used by humans. There is separate guidance on how to handle system secrets.

How to use it

Getting started

You will be sent an email to your MoJ work email account inviting you to create your account. 1Password have ‘getting started’ guides on their website.

Creating your primary password

You need to create a primary password - this is the only password you’ll need to remember.

It shall be at least 14 characters long (the longer the better).

You can choose to make it pronounceable and memorable (passphrase) such as CyberSecurityRules! or Sup3rD00p3rc0Mp3X!, as long as you’re comfortable remembering it and won’t need to write it down.

There are password guidance standards here.

Your primary password shall be unique and you should not use it anywhere else (including a similar version, for example, by simply adding numbers to the end)

Multi-Factor Authentication

You shall setup multi-factor authentication (MFA, sometimes known as 2FA) for your MoJ account.

1Password has a guide on setting up MFA.

The MoJ has an ‘order of preference’ for which types of MFA to use:

  • Hardware-based (for example, Yubikeys)
  • Software-based (for example, Google Prompt on a mobile device)
  • TOTP-based (the code is held by a dedicated app such as Google or LastPass Authenticator on a mobile device)
  • SMS-based (a one-time code sent via SMS)

If you don’t have an MoJ-issued work smartphone you may use a personal device for MFA.

Sharing passwords

To share a password, create a Vault.

You should make sure the credentials you’re sharing are only available to the people who need to access them for MoJ work. It is your responsibility to remove items or people from vaults when access to the credential(s) is no longer required.

You shall not share your 1Password main password with anyone, even your line manager or MoJ security.

Using it overseas

Taking a device (such as personal smartphone) that has MoJ 1Password installed counts as travelling overseas with MoJ information.

The MoJ has existing policies on travelling abroad on the MoJ intranet, which require various approvals before travel.

It may be simpler to ‘log out’ of the 1Password applications or enable Travel Mode to remove vaults from your devices. These can be reinstated when you return to the UK.

Keeping 1Password update to date

Like all software, it is important to keep the software up to date (sometimes known as ‘patching’). 1Password software generally self-updates to the latest version by itself, however make sure you approve or apply any updates if 1Password asks you to.

Need help?

If you need help installing 1Password contact the relevant MoJ IT Service Desk.

If you need help using 1Password such as getting access to vaults or resetting your primary password as you have forgotten it, contact Operations Engineering Team through their Slack Channel, #Ask-Operations-Engineering, or email Operations Engineerings.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.