Pagoda Blog

You’ve probably heard the warning, “Never share your passwords” a million times, but how many people actually follow this rule? We’re willing to bet, regardless of the data, close to zero. This outdated advice ignores the fact that we have to share some passwords both professionally for collaboration and sometimes personally because we’re either being generous (how many users are on your Netflix account?) or, again, we need to collaborate. The problem is, sharing passwords is incredibly risky. 

 

81% of hacking-related security breaches are the result of weak or stolen passwords. Considering that most people reuse passwords, one stolen password could compromise multiple accounts. For example, if an employee uses the same password for several work accounts, this could give a hacker access to an entire company network, exposing the data of both customers and employees. 

 

Related reading: Are You Doing All You Can to Protect Your Customer Data? 

 

So if password sharing is risky but we have to do it, what’s the solution? Let’s first go over how NOT to share passwords and which passwords you should never share. hen we’ll dive into best practices for sharing passwords that will mitigate the risk of a data breach. 

 

How NOT to share passwords

When a team member needs access to an account, many people default to everyday forms of communication. These forms of communication may be convenient in the moment, but the long-term consequences of a data breach are far too costly for any short-term benefits.  Here are 5 common ways people share passwords that pose a cybersecurity risk: 

 

1. Sharing verbally or via a sticky note or notepad

2. Sharing via email

3. Sharing via text 

4. Sharing via communication tools like Discord, Slack or Teams 

5. Sharing via a shared file, such as Google spreadsheets 

 

All of the above tactics come with inherent risks. These standard forms of communication are too easily hacked or can too easily fall into the wrong hands. It also encourages the reuse of passwords because without a central location to store and share passwords, it becomes increasingly difficult to keep track of the many work accounts and ensure everyone has the access they need. 

 

This lack of a central location is why many companies fall back on familiar shared files, such as Google spreadsheets, to store and share login information. This solution may seem like a more secure solution than email or text but still comes with many security risks. When all your account information is stored within one Google Spreadsheet, whoever you share the file with automatically has access to all your usernames and passwords, not just those pertinent to their role. A spreadsheet can also easily be copied and shared with others who don’t have permission. Revoking access (and ensuring past employees haven’t made their own copy) is also hard to track and verify.   

 

Which passwords you should never share (and which ones are less risky) 

It’s also important to highlight that there are some passwords you should never share. These include bank account logins, your network login, and your email. A good rule of thumb is to never give employees access to accounts that reveal sensitive financial information or could make it easy for them or a cybercriminal to commit identity theft. Sharing your network login makes you especially vulnerable to a cyberattack because it gives access to all accounts and devices connected to that network.  

 

If you can avoid sharing passwords that’s always the safest solution. Amazon, for example, provides business accounts where you can add an account for each employee with their own username and password. Facebook also doesn’t require you to share your personal login in order to give an employee, such as your social media manager, access to your business page. That employee can log in using their own personal account and then request access to manage just your business page. You can also choose what level of access to give that employee, restricting their actions based on their role. Whenever you have the option, create a separate login with restricted, role-based access to your shared accounts. 

 

Let’s take a closer look at how to securely share passwords when absolutely necessary.   

 

How to securely share passwords 

Securely sharing passwords starts with establishing password best practices that all employees are required to review and adhere to whenever they create, access, or share an account login. To ensure all team members understand the importance of password best practices and will comply, we recommend holding regular cybersecurity trainings, in addition to instilling a culture of cybersecurity across your company. If employees fully understand the value of a policy, and how failing to comply could impact them personally and the company as a whole, they are far more likely to stay in compliance for the long-run.  

 

As part of your password best practices, you should be utilizing a password manager to enable the secure sharing of logins when necessary. The password manager N-able recommends implementing the following policies at your office: 

 

• Choose solutions that allow for single sign-on (SSO) whenever possible. SSO will reduce the likelihood of employees sharing passwords that are also linked to their email account.
• Enable two-factor or multifactor authentication wherever you can—this will make it much harder for a hacker to gain access, and will discourage sharing due to the extra layer of authentication. 
• Encourage employees to use complex passwords. They should include uppercase and lowercase letters, symbols, and numbers. They shouldn’t include any personal information that might be found on your social media profiles.
• Urge employees to avoid using the same password for multiple products or services.
• Promote the use of a secure password manager. 
• Implement granular access control, like role-based permissions, for accounts and systems. 

When sharing passwords between team members, implementing granular access control is critical. This allows your IT team or upper management to set role-based permissions that ensure account logins are only shared with those who really need access. You can also assign further levels of permission to each password, allowing it to be read-only or never viewed at all, auto filling the password when a permitted team member needs to log-in to that account. 

Setting up specific role-based permissions also makes the onboarding and off-boarding process a lot easier. Your IT team can quickly and securely grant and revoke access as needed to team members based on their position in the company. 

 

Related reading: What to Do When an Employee Leaves to Protect Company Data

 

Next time you share a password, run through a quick checklist first to make sure it’s both necessary and secure. 

 

1. Does this person need my password or is there another way to grant them access to the account? 
2. How much access does this person need to the account? 
3. Have I reused the password on any other accounts that could be put at risk?
4. If an employee is creating their own login credentials, are they adhering to current password best policies? 

 

Running through a simple checklist like this can prevent you from taking unnecessary risks with your data. And utilizing a password manager will keep your credentials secure and organized, protecting you from a data breach and the all-too-familiar headache of yet another forgotten password. Lastly, remember that there are some passwords that should remain confidential and it’s imperative to always exercise caution when sharing your credentials with someone else. 

 

Have further questions about how to securely share passwords with your team? Get in touch and we can help you create an effective password policy for your business. 

 

 

Feature Photo by LinkedIn Sales Solutions on Unsplash

 

Read more posts like this: 

Are Passwords Strengthening or Compromising Your Security? The Pros and Cons of Passwordless Authentication

The 5 Key Components of a Multi-Layered Security Strategy

Why the Most Successful Businesses Have a Cyber Resiliency Strategy   

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.