In the increasingly digital world where pretty much everything requires login credentials, some companies may find themselves in a bit of a pickle when it comes to controlling account access.
To make life easier, employees often might exchange passwords, share accounts and emails, or choose to work altogether on one account, rather than try to figure out individual permissions. This isn’t even something that’s necessarily new; for decades people have been sharing credentials, both physical and digital, that shouldn’t be, all for the sake of making life easier.
Thankfully, with modern problems come modern solutions, and we don’t really have to rely on the traditional ways of sharing passwords. Of course, it’s still important to understand why the way we’ve been doing it is bad, otherwise long-lasting change won’t happen. As such, that brings us to our first point...
Issues With Sharing Passwords
This probably shouldn’t need to be said, but sharing passwords poses an incredibly large security risk, even if it’s with people that you trust. Recent studies have found that roughly 35% of people share passwords, which might not seem a lot at first glance, but when you take the whole internet-using population of the world, that’s millions upon millions of people.
Aside from just the security risk, sharing passwords generally decreases accountability in the workplace. Since you never know who is doing what, you and the people you share passwords with can ultimately all come under fire as a group for the actions of one person. Imagine trying to track down account credentials and the history of it’s activity, only to find out that a dozen different people are using that single account.
Similar to the point above, you also have the issue of not knowing who was part of what communication chain. This is an especially big problem for companies that have a complex CMS infrastructure and logging system. Even worse, how do you keep track of who needs to answer what e-mail? How do you keep track of complaints, or issues that require several days of emails? At that point you’re just spending hours on hours just trying to figure everything out.
Even worse is the scenario when an employee leaves the company and yet still has access to the account. Whoever is in charge of the sharing might not be aware that they’ve left, or might not want to go through the effort of changing the password and informing the others. This increased burden for password security and subsequent lack of it can lead to somebody having access to sensitive material who shouldn’t. Aside from the security issue, there’s also legal issues to consider.
Traditional Methods of Password Sharing
Of course, we can understand that people still might need to share passwords, even if temporarily, so here are the traditional ways that you should avoid:
Sending the login information, without encryption, through an email. This is probably the worst possible thing you can do, because it only requires that one email be compromised. Instead, try and break it up over several emails, or through two different communication channels. The only slight exception to this is a secure email.
Sending the login information through messaging apps. While slightly better, it’s still the same issue of potentially compromising just one message to get the info. Also, if other people have access to your phone, you can’t really control who does and doesn’t see the login information.
Writing down the login information and passing it on. I can’t stress enough how bad of an idea this is. Aside from the fact that the person could easily lose the piece of paper at any time, there’s also the fact that anybody could easily see at least part of the information, especially if the paper is thin and the text is thick. At the very least, always make sure to shred the paper when the transfer of information is complete.
Sharing the login information verbally. This one is slightly better, although the truth is that most people don’t really have the capacity to memorize information on-the-fly like that. There’s also the bigger issue that it’s easier to overhear people than it is to read a folded piece of paper.
Sharing login information through something like DropBox or Google Drive. While this might seem like a better idea, since these services are secured, it still sort of combines the problems from all the issues above, such as a single point of failure, and a lack of accountability on who sees the password.
While this is by no means an exhaustive list of ways people share passwords, they are the main ways that it can be done.
Why Password Managers are the Best for Password Sharing
Really, the best way to share passwords is to use something that has it integrated into its system, and for that, the best thing is a password manager.
For starters, not only does a password manager encrypt the passwords you put in there, it also allows you to have long and complex passwords, which are paramount to password security. On top of that, you can pretty much store a limitless amount of passwords if you want to. As long as the master password is strong enough, then you don’t have much to worry about.
Another great thing about password managers is that they allow you to control the access policies. By having an admin in control of what gets shared with who, there’s no worries that somebody who shouldn’t have access, get’s access. Furthermore, you can keep track of who does share passwords, and with who.
It also acts as a great backup plan for a sudden hire or an immediate departure. Keeping control of password access is paramount to maintaining a high level of security, and that comes baked-into most password management applications. So you, as the admin, get to choose who gets access to what passwords and you don’t have to worry about going through non-secure or non-encrypted channels, like a piece of paper or word of mouth.