Add password manager endpoint hardening guide

AGENTS.md

@@ -1,5 +0,0 @@
-# Clone Notes
-
-- This is an isolated checkout for PR `#418` on `security-alliance/frameworks`.
-- Edit `docs/pages/contribute/contributing.mdx` and regenerate the root `CONTRIBUTING.md` with `node utils/sync-contributing.js`.
-- Keep Discord channel references aligned with the reviewer-approved `frameworks-contribs` wording.

docs/pages/guides/endpoint-security/index.mdx

@@ -11,4 +11,5 @@ title: "Endpoint Security"
 
 ## Pages
 
+- [Password Manager Endpoint Hardening](/guides/endpoint-security/password-manager-endpoint-hardening)
 - [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening)

docs/pages/guides/endpoint-security/password-manager-endpoint-hardening.mdx

@@ -0,0 +1,100 @@
+---
+title: "Password Manager Endpoint Hardening | Security Alliance"
+description: "Reduce password manager endpoint risk with stronger device, browser, MFA, and recovery practices."
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Engineer/Developer
+contributors:
+  - role: wrote
+    users: [dickson]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Password Manager Endpoint Hardening
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## Summary
+
+> 🔑 **Key Takeaway:** Encrypt every device that can unlock your vault, lock it quickly, keep it updated, use
+> phishing-resistant MFA on the password manager account, minimize browser and clipboard exposure, and rehearse
+> recovery before an incident.
+
+A password manager concentrates access to many critical accounts, so the device and browser that can unlock it deserve
+extra hardening.
+
+## For Individuals
+
+### Minimum Device Baseline
+
+- [ ] Use only supported, regularly updated operating systems and browsers
+- [ ] Enable full-disk encryption on every device that can access the vault
+- [ ] Require a real screen lock with a 5-minute-or-less idle timeout and password on wake
+- [ ] Enable device location, remote lock, and remote wipe features before you need them
+- [ ] Keep the password manager set to lock on sleep, device lock, and browser or app exit
+
+### Safer Browser and Vault Usage
+
+- [ ] Use a dedicated browser profile for work or other high-value accounts
+- [ ] Keep that profile minimal: ideally only the password manager extension, and otherwise a short allowlist of
+      extensions you actively need and trust
+- [ ] Prefer user-initiated fill over broad automatic fill on page load
+- [ ] Verify the domain before filling credentials for high-impact accounts such as registrars, GitHub, cloud,
+      finance, or admin panels
+- [ ] Avoid logging into the work vault from throwaway browsers, borrowed devices, or lightly managed systems
+
+### Clipboard and Copy/Paste Hygiene
+
+- [ ] Prefer direct fill into the browser or app instead of copying secrets to the clipboard
+- [ ] Disable clipboard history and cross-device clipboard sync on endpoints used for sensitive workflows
+- [ ] If you must copy a secret, paste it immediately and clear the clipboard or rely on the password manager's
+      auto-clear setting if supported
+
+### Protecting the Password Manager Account
+
+- [ ] Use phishing-resistant MFA such as FIDO2/WebAuthn security keys where supported
+- [ ] For highest-risk operators, prefer hardware security keys over broadly syncable authenticators when possible
+- [ ] Keep at least two recovery-capable authenticators enrolled
+- [ ] Do not rely on SMS as the primary recovery or second-factor method
+- [ ] Store recovery codes or emergency-kit material offline and separately from the device
+- [ ] Avoid circular dependency: do not make the only copy of recovery material depend on access to the same vault
+
+## Web3-Specific Operational Rules
+
+Password managers in Web3 often gate access to registrars, code hosting, cloud, and finance systems. Treat the
+endpoints that can unlock the vault accordingly.
+
+- Use a separate browser profile, and ideally a separate device, for the highest-risk admin workflows
+- Prefer hardware security keys for the password manager account and highest-impact downstream services
+- Never store wallet seed phrases, private keys, or recovery phrases in a password manager, browser storage, or notes
+  app
+- If an endpoint used for registrar, GitHub, cloud, or finance access looks compromised, rotate those credentials first
+
+## Lost or Stolen Device Response
+
+Use these steps if a device with possible vault access is lost, stolen, or suspected compromised:
+
+1. Lock, mark lost, or wipe the device as quickly as possible.
+2. Revoke the device or active sessions from the password manager or identity provider if the product supports it.
+3. Change the password manager account password and review enrolled MFA methods.
+4. If the vault may have been exposed, rotate the highest-risk downstream credentials first.
+5. Replace recovery material and backup authenticators if their custody is uncertain.
+
+If you cannot confirm the vault was locked at the time of loss, treat exposed credentials as the default assumption and
+rotate accordingly.
+
+## Further Reading
+
+- [NIST SP 800-63 Digital Identity Guidelines](https://pages.nist.gov/800-63-4/)
+- [CISA: Implementing Phishing-Resistant MFA](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a)
+- [NCSC: Password Managers](https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers)
+- [Apple: Protect Data on Your Mac with FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac)
+
+</TagProvider>
+<ContributeFooter />

vocs.config.tsx

@@ -546,6 +546,7 @@ const config = {
           text: 'Endpoint Security',
           collapsed: true,
           items: [
+            { text: 'Password Manager Endpoint Hardening', link: '/guides/endpoint-security/password-manager-endpoint-hardening', dev: true },
             { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' },
           ]
         },