Add password manager endpoint hardening guide

docs/pages/guides/endpoint-security/index.mdx

@@ -11,4 +11,5 @@ title: "Endpoint Security"
 
 ## Pages
 
+- [Password Manager Endpoint Hardening](/guides/endpoint-security/password-manager-endpoint-hardening)
 - [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening)

docs/pages/guides/endpoint-security/password-manager-endpoint-hardening.mdx

@@ -0,0 +1,180 @@
+---
+title: "Password Manager Endpoint Hardening | Security Alliance"
+description: "Harden the devices and browsers that can unlock your password manager: encryption, screen lock, phishing-resistant MFA, safer autofill, clipboard hygiene, recovery planning, and lost-device response."
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Engineer/Developer
+contributors:
+  - role: wrote
+    users: [dickson]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Password Manager Endpoint Hardening
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## Summary
+
+> 🔑 **Key Takeaway:** Encrypt every device that can unlock your vault, lock it quickly, keep it updated, use
+> phishing-resistant MFA on the password manager account, minimize browser and clipboard exposure, and rehearse
+> recovery before an incident.
+
+A stolen laptop, an over-permissioned browser, or an unlocked device is a more likely path to credential exposure than
+a direct vault attack. This guide covers controls that reduce that endpoint risk.
+
+## Why Endpoints Matter
+
+An unlocked vault gives the endpoint broad credential access. Hardening reduces common failure modes:
+
+- lost or stolen devices exposing vault access
+- browser sessions interacting with malicious sites
+- clipboard leakage across apps or devices
+- weak recovery flows becoming the easiest way around strong login protections
+
+If you suspect the endpoint was compromised while the vault was unlocked, follow the
+[lost or stolen device response](#lost-or-stolen-device-response) steps below.
+
+## For Individuals
+
+### Minimum Device Baseline
+
+- [ ] Use only supported, regularly updated operating systems and browsers
+- [ ] Enable full-disk encryption on every device that can access the vault
+- [ ] Require a real screen lock with a short idle timeout and password on wake
+- [ ] Do day-to-day work as a standard user, not a local administrator
+- [ ] Enable device location, remote lock, and remote wipe features before you need them
+- [ ] Keep the password manager set to lock on sleep, device lock, and browser or app exit
+- [ ] Prefer a small number of clean, trusted devices over many semi-trusted ones
+
+### Safer Browser and Vault Usage
+
+- [ ] Use a dedicated browser profile for work or other high-value accounts
+- [ ] Keep that profile minimal: password manager extension plus as few others as possible
+- [ ] Prefer user-initiated fill over broad automatic fill on page load
+- [ ] Verify the domain before filling credentials for high-impact accounts such as registrars, GitHub, cloud,
+      finance, or admin panels
+- [ ] Avoid logging into the work vault from throwaway browsers, borrowed devices, or lightly managed personal systems
+- [ ] On shared or high-risk endpoints, sign out when done instead of relying only on long idle timeouts
+
+### Clipboard and Copy/Paste Hygiene
+
+- [ ] Prefer direct fill into the browser or app instead of copying secrets to the clipboard
+- [ ] Disable clipboard history and cross-device clipboard sync on endpoints used for sensitive workflows
+- [ ] If you must copy a secret, paste it immediately and clear the clipboard or rely on the password manager's
+      auto-clear setting if supported
+- [ ] Avoid third-party clipboard managers on devices used for administrative accounts
+
+### Protecting the Password Manager Account
+
+- [ ] Use phishing-resistant MFA such as FIDO2/WebAuthn security keys where supported
+- [ ] For highest-risk operators, prefer hardware security keys over broadly syncable authenticators when possible
+- [ ] Keep at least two recovery-capable authenticators enrolled
+- [ ] Do not rely on SMS as the primary recovery or second-factor method
+- [ ] Store recovery codes or emergency-kit material offline and separately from the device
+- [ ] Avoid circular dependency: do not make the only copy of recovery material depend on access to the same vault
+
+### Mobile-Specific Considerations
+
+- [ ] Use a strong device passcode, not a weak convenience PIN
+- [ ] Keep mobile OS updates enabled and current
+- [ ] Review which phones and tablets are trusted to access the vault and remove unused ones
+- [ ] Prefer not to keep the work vault available on every personal mobile device by default
+- [ ] Respond quickly to a lost phone because it often holds both active sessions and recovery channels
+
+## For Admins
+
+### Endpoint Policy Baseline
+
+- [ ] Restrict work-vault access to managed, encrypted, up-to-date devices wherever feasible
+- [ ] Enforce screen-lock, password-on-wake, and patching baselines through MDM or equivalent controls
+- [ ] Require standard-user day-to-day operation on managed endpoints
+- [ ] Ensure remote lock and wipe are available for every device allowed to access the work vault
+- [ ] Escrow disk-encryption recovery material through approved administrative processes
+
+### Browser and Session Controls
+
+- [ ] Use managed browser profiles for administrative workflows
+- [ ] Restrict extensions with allowlists or equivalent enterprise policy controls
+- [ ] Keep privileged profiles separate from general browsing, email, and social use
+- [ ] Configure short lock timeouts for password-manager sessions where vendor policy supports it
+- [ ] Periodically review trusted devices, active sessions, and shared-vault membership
+
+### Team and Recovery Operations
+
+- [ ] Define who owns break-glass recovery and how it is approved, accessed, and rotated after use
+- [ ] Keep role-based access tight for shared or business vaults
+- [ ] Remove departing staff from vault access, trusted devices, and recovery paths during offboarding
+- [ ] Document when downstream credential rotation is mandatory after suspected endpoint compromise
+
+## Web3-Specific Operational Rules
+
+Password managers in Web3 guard registrar, source control, cloud, and finance credentials. Endpoint controls should
+match that sensitivity.
+
+### High-Impact Accounts
+
+Prioritize hardening and incident response for endpoints that access:
+
+- registrars, DNS, and email administration
+- GitHub, package publishing, and CI/CD platforms
+- cloud providers, secret stores, and infrastructure consoles
+- communication platforms used for incident response or announcements
+- finance, banking, custody, payroll, and vendor-admin portals
+
+### Practical Rules
+
+- Use a separate browser profile, and ideally a separate device, for the highest-risk admin workflows
+- Do not mix privileged vault use with casual browsing, random extensions, or high-risk social-media browsing in the
+  same session
+- Keep personal and work vault access separated where possible to reduce accidental exposure and simplify incident
+  response
+- Prefer hardware security keys for the password manager account and highest-impact downstream services
+- Never store wallet seed phrases, private keys, or recovery phrases in a password manager, secret manager, browser
+  storage, notes app, or any similar system
+- If an endpoint used for registrar, GitHub, cloud, or finance access looks compromised, rotate those credentials first
+
+## Lost or Stolen Device Response
+
+Use this runbook if a device with possible vault access is lost, stolen, or suspected compromised:
+
+1. Lock, mark lost, or wipe the device as quickly as possible.
+2. Revoke the device or active sessions from the password manager or identity provider if the product supports it.
+3. Change the password manager account password and review enrolled MFA methods.
+4. Rotate downstream credentials in priority order:
+   - registrar and DNS
+   - primary email
+   - GitHub and package publishing
+   - cloud and deployment platforms
+   - finance and vendor-admin portals
+5. Review recent account activity for signs of unauthorized access.
+6. Replace recovery material and backup authenticators if their custody is uncertain.
+
+If you cannot confirm the vault was locked at the time of loss, treat exposed credentials as the default assumption and
+rotate accordingly.
+
+## Related Guides
+
+- [GitHub Security](/guides/account-management/github)
+- [GoDaddy Security](/guides/account-management/godaddy)
+- [Registrar Security & Registry Locks](/infrastructure/domain-and-dns-security/registrar-and-locks)
+- [Understanding Threat Vectors](/awareness/understanding-threat-vectors)
+
+## Further Reading
+
+- [NIST SP 800-63 Digital Identity Guidelines](https://pages.nist.gov/800-63-4/)
+- [W3C WebAuthn](https://www.w3.org/TR/webauthn-3/)
+- [CISA: Implementing Phishing-Resistant MFA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a)
+- [NCSC: Password Managers](https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers)
+- [Apple: Protect Data on Your Mac with FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac)
+- [Microsoft: BitLocker Overview](https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf)
+- [Android: Find, Secure, or Erase a Lost Device](https://support.google.com/android/answer/6160491)
+
+</TagProvider>
+<ContributeFooter />

vocs.config.tsx

@@ -533,6 +533,7 @@ const config = {
           text: 'Endpoint Security',
           collapsed: true,
           items: [
+            { text: 'Password Manager Endpoint Hardening', link: '/guides/endpoint-security/password-manager-endpoint-hardening' },
             { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' },
           ]
         },

wordlist.txt

@@ -332,4 +332,5 @@ SSDF
 SLSA
 pids
 Kata
-rootfs
+rootfs
+NCSC