Added a password section to the opsec framework

[shallem]

Added a new section about passwords with the following sub-pages:

• A page describing good password policies (i.e. what makes a good password)
• A page introducing enterprise password managers, their security benefits, and their use case
• A page discussing single sign-on and why it should be used even though it introduces centralization risk
• A page discussing root account passwords (for cloud services) and how those should be handled specially

@mattaereal - feedback on all aspects of the PR are greatly appreciated.

[github-actions]

Sidebar Configuration Reminder

This PR includes added, renamed, or removed documentation files:

• docs/pages/opsec/passwords/basics.mdx (added)
• docs/pages/opsec/passwords/managers.mdx (added)
• docs/pages/opsec/passwords/overview.mdx (removed)
• docs/pages/opsec/passwords/rootaccounts.mdx (added)
• docs/pages/opsec/passwords/sso.mdx (added)

Please ensure that:

• The sidebar in vocs.config.tsx has been updated to include these files
• New content has the dev: true parameter so it's marked as under development
• Sidebar links match the file paths - use the preview deployment to verify

See Contributing Guide – Sidebar & Navigation for more details.

---

_{This is an automated reminder. If this PR doesn't need sidebar changes, you can ignore this message.}

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
frameworks	✅ Ready (View Log)	Visit Preview	f72d7ea

[frameworks-volunteer]

Model: z-ai/glm-5.1 Reasoning: high Provider: openrouter

Review: PR #468 — Password section for opsec framework

Content is well-structured and covers the topic thoroughly. Found a few issues that should be addressed before merge.

Issues (should fix)

1. Typo in vocs.config.tsx: collpased → collapsed — The sidebar config property is misspelled. Other entries in the same file use collapsed: false. This may silently fail (property ignored) rather than cause a build error.

2. Typo in sso.mdx: best pratice → best practice — Line in the "Advantages of Centralized Sign-in" section.

3. Typo in rootaccounts.mdx: the closed immediately → then closed immediately — Under "Keep root accounts cold", the sentence reads "sessions are opened when a key administrative function must be performed, the closed immediately via an explicit logout". Should be "then closed".

4. Broken internal link in opsec/overview.mdx — Line 47 links to /opsec/passwords/overview, which this PR deletes. Should be updated to /opsec/passwords/basics.

Minor (nice to fix)

5. Missing trailing newlines in managers.mdx, rootaccounts.mdx, and sso.mdx. Standard convention for text files.

Security Review

• No hardcoded secrets, tokens, or API keys
• No injection vectors (XSS, path traversal) — content is MDX documentation
• No unsafe deserialization or eval
• No suspicious dependencies
• Content accurately describes security best practices (password managers, SSO, cold root accounts, rotation policies)

QA Review

• Frontmatter format is valid and consistent with other pages in the repo
• Internal links to /opsec/mfa/overview, /opsec/passwords/sso, /opsec/passwords/rootaccounts are valid
• Contributor attribution is correct (shallem as author)
• The deleted overview.mdx placeholder is properly replaced with substantive content
• Spelling: 3 typos noted above; should check against cspell.json wordlist after fixes

Verdict: Request changes for the typos and broken link. All are quick fixes.

[mattaereal]

Hi shallem! Thanks again for this addition and for reviewing our volunteerś feedback.

A few suggestions below!

• Frontmatter descriptions (add/expand to 140-160 chars), for example:

• basics.mdx: "Implement strong password basics: length, complexity, uniqueness, generation to resist brute-force/dictionary attacks. Essential foundation." (142 chars)
• managers.mdx: "Configure password managers (Bitwarden, etc.) for secure storage, autofill, sharing. Includes self-hosting, TOTP, emergency access." (138 chars)
• rootaccounts.mdx: "Secure root/admin accounts: rotation, JIT access, monitoring. Prevents escalation in Linux/AWS/cloud." (expand to 140+)
• sso.mdx: "Use SSO (OAuth/SAML) for passwordless auth with Okta/Auth0. Reduces sprawl, enforces MFA/sessions." (expand)

• Don't mind index.md, it's generated automatically upon deployment.
• We're missing an overview.mdx, the 'basics' seems like it, adding an outline for the rest of the contents. You can check other categories to see what I'm talking about (but tl;dr, overview.mdx is the home for every category and subcategory).
• managers.mdx self-hosting: "Bitwarden supports self-hosting; alternatives: Vaultwarden, Passbolt."
• Run just lint, docs:build/preview; update vocs.config.tsx sidebar

[shallem]

@mattaereal - I have just pushed another round of changes to address your comments above.

[mattaereal]

@frameworks-volunteer, can you do a recheck to see if we missed anything during our interaction with @shallem? And if the vocs config, structure, and format are correct?

[frameworks-volunteer]

Model: z-ai/glm-5.1 Reasoning: medium Provider: openrouter

Re-reviewed PR #468 after @shallem's updates. Found several items that were missed or introduced since the prior review.

---

Issues (should fix before merge)

1. Broken link in opsec/overview.mdx -- Line 47 links to /opsec/passwords/basics, but no basics.mdx file exists in this PR. The correct link is /opsec/passwords/overview (which matches the sidebar entry and the actual file). This was flagged in the prior review but the fix introduced a non-existent path instead of keeping the valid one.

2. Description frontmatter too short (convention: 140-160 chars with action verbs/keywords):

   • managers.mdx: 133 chars -- expand to include TOTP, credential types, or zero-trust
   • rootaccounts.mdx: 127 chars -- expand to mention rotation, cold accounts, password manager sharing
   • sso.mdx: 125 chars -- expand to mention federation, IdP hardening, or centralized session control

3. Gendered language in sso.mdx -- Line 85: "a user may have revealed his password" should be "their password" per American English gender-neutral convention.

Minor (nice to fix)

4. Auto-generated files edited manually -- docs/pages/opsec/passwords/index.mdx and utils/fetched-tags.json are both auto-generated by the build command (utils/generate-folder-indexes.js). Manual edits will be overwritten on next build. These can stay for preview purposes but should be removed from the final diff or the generator should be run instead.

5. No Key Takeaway blocks -- Per repo conventions, playbook/template pages should start with > 🔑 **Key Takeaway**: (<40 words). None of the 4 pages include this. Not blocking, but would improve consistency with other opsec subcategories.

6. Sidebar label vs filename mismatch -- The sidebar entry says "Password Basics" linking to /opsec/passwords/overview. If "Password Basics" is the intended display name, consider renaming the file to basics.mdx for clarity (or updating the sidebar text to "Password Management" / "Overview" to match the file). This is cosmetic but could confuse contributors.

Security Review (re-checked)

• No hardcoded secrets, tokens, or API keys
• No injection vectors (MDX documentation content only)
• No unsafe deserialization or eval
• Content accurately describes security best practices
• Internal link to /opsec/passwords/rootaccounts and /opsec/passwords/sso are valid

Summary of prior review status

The prior review (CHANGES_REQUESTED) flagged 4 issues + 1 minor. Status:

• discord.md updates #1 typo collpased → collapsed: Fixed ✅
• google.md updates #2 typo best pratice: Fixed ✅ (no occurrence found)
• Update telegram.md #3 typo the closed → then closed: Fixed ✅
• Update twitter.md #4 broken link /opsec/passwords/basics: Not fixed ❌ (link still points to non-existent path)
• devsecops readme.md update #5 trailing newlines: Fixed ✅

Verdict: Still requesting changes for the broken link (#1 above) and the short descriptions (#2). The gendered language (#3) should also be addressed.

[scode2277]

Added the remaining things to fix as inline suggestions for one-click apply, so we can get this content shipped @shallem

[scode2277]

Suggested change

	5. [Password Management](/opsec/passwords/basics): Password Robustness
	5. [Password Management](/opsec/passwords/overview): Password Robustness

[scode2277]

Suggested change

	passwords if you are concerned that a user may have revealed his password to a
	passwords if you are concerned that a user may have revealed their password to a

[scode2277]

Suggested change

	description: "Configure password managers (Bitwarden, etc.) for secure storage, autofill, sharing. Includes self-hosting, TOTP, emergency recovery."
	description: "Configure password managers (Bitwarden, etc.) for secure storage, autofill, and sharing. Includes self-hosting, TOTP, zero-trust, emergency recovery."

[scode2277]

Suggested change

	description: "Secure root/admin accounts: password rotation and storage, least privilege, monitoring. Prevents escalation in Linux/AWS/cloud."
	description: "Secure root/admin accounts: password rotation and storage, cold accounts, password manager sharing, monitoring. Prevents escalation in Linux/AWS/cloud."

[scode2277]

Suggested change

	description: "Use SSO (OAuth/SAML) for passwordless auth with Okta/Auth0/Google. Reduces secrets sprawl, enforces MFA and session controls."
	description: "Use SSO (OAuth/SAML) for federated passwordless auth with Okta/Auth0/Google. Reduces secrets sprawl, enforces MFA, session controls, IdP hardening."