Don’t pass it on

You probably know that you shouldn’t share your password to anything with anybody. But many people do, and for what seem on the surface to be good reasons.

How many people have access to your business social media accounts, for example, to cover the extended hours of social media? If you don’t use a dedicated social media management platform, you may well only have one access to each social media account—and Maisie from Marketing can’t do it all alone.

Or what if someone with sole access to an online service is away from work unexpectedly for an extended period (or even forever)? For business continuity purposes, you may need to find a way to provide access to essential business services to someone other than the main user.

The problems with sharing passwords are that:

  • The person you share it with may not keep the secret. They may not intend to disclose the password, but they could reveal it—by accident, or because they’ve decided to share it with another—or wherever they’ve stored it could be hacked.
  • The way you’ve shared it may not be secure. For example, if you’ve shared it by email and your email account gets hacked, then the attacker knows that this password belongs to you. They might not yet know what account it belongs to, depending on what you’ve written, but they can record it, and try many options in the future.
  • The fact that you’ve shared a secret undermines your security culture. If it’s OK for you to share a password, one of your staff may think that is acceptable, and share one of theirs.
  • Sharing passwords may mean losing accountability for actions—if you don’t know who has logged in, you don’t know which of the people with access to the password carried out an action.
  • Sharing passwords may mean problems when someone leaves your company. Your security policies should cover terminating access to accounts—but if you don’t know who had access to what, this may result in confusion, and the risk of data compromise.

Sharing passwords should be the exception, not the rule. But if you absolutely must share access to an account, and are prepared to accept the risks, how can you provide access as needed—securely?

It may well be that with a little investigation, you can find a way to share access to the various tools and services that you use. Examples:

  • Password managers usually have a means of enabling a second person to use a password without knowing what that password is. If you are using a password manager, do explore the features available to you.
  • Email clients often have an option for ‘delegated access’ to enable staff to read and respond on your behalf.

People often say that they share passwords to support collaboration—so if you can, consider tools that support collaborative work. For example, use a dedicated social media platform, if you can afford it, that supports multiple access.

Just don’t write that password down and leave it out in the open.

Would you like more cyber security advice, or perhaps some help? Call the Click and Protect team on 0113 733 6230, or use our contact form.