How to store credentials
Depending on how you manage your accounts, you, your team and the service you run may have credentials or other secrets that you need to store securely.
Personal credentials
Personal credentials belong only to you. They uniquely identify you and grant access to your GitHub, AWS, and GOV.UK Signon accounts.
If possible, use the password manager built into your browser. This is simpler than setting up an extra account with a third party and avoids the potential issues below.
If you are unable to use your browser’s password manager then you should use a third-party password manager. This could be necessary if your browser has an accessibility issue, or if you work with multiple browsers.
Third-party password managers used by people at MHCLG include:
- 1Password - for Administrator credentials
There is a security trade-off involved in using browser extensions to autofill credentials.
Auto-filling credentials can protect against phishing attacks. Your password manager will refuse to autofill credentials for the wrong site, such as exxample.com attempting to impersonate example.com. However, it can be difficult to implement this functionality securely in an extension.
Team credentials
Credentials sometimes need to be shared across a team or programme. Software repositories (NPM, RubyGems, Maven Central) and admin portals (Fastly, DockerHub) will often have shared credentials.
You should follow the guidance for managing team credentials..
Where team or shared credentials are needed, MHCLG uses 1Password. See department guidance for 1Password.
Service credentials
Deployed services sometimes need sensitive configuration such as API keys and IP block lists.
Use the secret management feature of your infrastructure or cloud provider e.g. AWS Secrets Manager, Azure Key Vault. This should make it easy to control and audit access to the credentials.
Other third-party services in use by MHCLG to manage secrets include: - Github Secrets for Github Actions