Best Practices
A few habits that will keep your account secure and your team working smoothly.
Passphrase hygiene
Write it down somewhere safe
Your passphrase cannot be recovered. Store it in a password manager, an encrypted note, or a physical safe. Losing it means losing access to your secrets permanently.
Use a long, unique passphrase
Choose something that is both memorable and hard to guess. A sequence of random words is often better than a short password with symbols. Do not reuse a passphrase from another service.
Lock your session when you leave
Use the Lock button before walking away from your computer. This clears your session key from memory immediately.
Managing secrets
Rotate secrets regularly
Generate new API keys and passwords on a schedule, especially for production services. Update the value in dotenvar immediately after rotation.
Separate environments
Keep development, staging, and production credentials in separate Groups. Never copy a production secret directly into a dev environment.
Delete stale secrets
Old API keys for deprecated services are attack surface. Remove them as soon as they are no longer needed.
Team sharing
Share the minimum necessary
Share only the specific secrets a teammate needs. Avoid sharing an entire Folder when only a single secret is required.
Revoke access when people leave
When a team member leaves, revoke their shares and rotate any secrets they had access to. Revoking access alone does not neutralise a copied value.
Prefer View over Edit for read-only use cases
Most teammates only need to read a value. Use the View permission unless someone genuinely needs to update the secret.