A safe way to share passwords in the workplacePosted on 16 January 2019 by Anna Milchem
Within many workplaces staff need to share account log in credentials to access software or websites.
This means that if access details such as a user name or password are changed, multiple people need to be advised. Staff also need to be made aware of any new accounts that have been made for them. In this blog we’ll detail some password sharing practices that are often seen but do not offer sufficient security and then give our recommendations on how to safely share passwords in the workplace.
What shouldn’t you be doing?
Emailing credentials is not a secure way to communicate them. If a user had an issue that stopped them from accessing emails then the information would be lost to them. If their account were to be hijacked, the details of these accounts and passwords could be visible to other people. This could allow others without authorisation to access company or personal data.
Colleagues shouting passwords across a room to each other is another bad habit to fall into. Although your team may be well trusted and vetted, it’s still best practice that staff members and departments who don’t need access to particular systems do not have it. Plus it’s easy to forget about the contractor working away in the corner of the office. It may seem far-fetched but it’s not unheard of for such workers to be bribed into gaining and sharing this kind of information.
Passwords written down can be viewed by anyone without any log of who has had access and if they’re saved in a non-encrypted digital text document you’re not much better protected. Both of these methods provide a way for someone with malicious intent to very quickly and easily access passwords in bulk and remove them from the workplace.
What should you be doing?
A more secure way of sharing account details would be to use a password manager. Password managers allow shared details to be encrypted and stored in one location. The passwords can be accessed by using just one (super secure) password, meaning staff members don’t have to remember multiple access details. Users are able to search by a software name or even by company in order to find the credentials they require. This prevents the need to ask others for these details.
This helps avoid the problem of repeat passwords being used across multiple accounts and means that passwords don’t have to be sent by email, shouted across the room or written down on post-its stuck underneath the keyboard (please don’t do this!).
With a password manager, administrators are able to set permissions on a user’s access so that they are only able to access certain relevant passwords (for example a user that’s part of the technical support team would have no reason to access passwords used by the accounts department). They are also able to update passwords so that if one expires it can be changed and then updated within the password manager. This means that if a password has been updated and a staff member is unaware, they can quickly check the password manager when their next log in attempt fails. No need to ask anyone to divulge the password or keep trying different passwords and lock everyone out!
Likewise, if it’s possible that someone has access to a password that shouldn’t, that password can be changed quickly and with minimal fuss. An administrator can then quite easily check through the passwords stored to ensure that no repeat or similar version of the breached password has been used elsewhere and take corrective action if necessary.
Password managers also have the ability to show who has looked at a password, allowing administrators to investigate whether employees have the right level of access or why they would require it.
Once you’ve set up a new user with access to the password manager, their log in credentials can be given to them verbally in person, or if this is not possible, sent via encrypted email to their manager. When creating accounts there is the option to enforce a password change on the first log in, so that only the user knows their own password.