Posted on by

Cyber security awareness: Safely sharing passwords in organisations

Our passwords do a lot of hard work for us. In simple terms, a password is a combination of characters, numbers, and symbols that protect our systems and accounts — and in turn, also protect the most valuable data we keep in our organizations.

Whether we work in small businesses or large enterprises, we all have one thing in common — we handle and store data that we need to keep safe. It’s the main reason we use passwords. But as you may have noticed, password leaks and account takeovers are now the major causes of data breaches across the world.

If you’ve been following standard cyber security practices in your organization, you’ll know passwords should be unique and contain around 16 characters with upper and lowercase letters, numbers, and special characters. If you haven’t been following these guidelines — now’s a great time to start!

“Don’t share your password with anyone” is a fairly common piece of cyber security advice, and it makes a lot of sense, especially for things like your login details to your work system, email, or personal bank account.

Realistically though, organizations do need to share account access between colleagues and teams. Think of things like your company’s social media accounts, bank accounts, and other online applications, services, and subscriptions. While account sharing is more common for small businesses, it’s sometimes necessary for larger organizations, too. The challenge is doing it safely and securely.

Why should we care about sharing passwords safely?

A 2020 audit showed there are more than 15 billion stolen sets of login details (pairs of usernames and passwords) from over 100,000 data breaches doing the rounds of the dark web. That’s equivalent to two sets for every person living on Earth. Those stolen credentials give attackers access to social media accounts, online banking, financial technology tools, accounting and marketing software, email platforms, and much more.

Global cyber security provider IT Governance does a monthly roundup where they attempt to calculate the total number of records lost through data breaches and cyber-attacks. In March 2021, they recorded over 20 million lost records of data over 151 published incidents. The following month was even busier, with over 1 billion records lost over 143 incidents.

As high-tech or sophisticated as our working environments and tools may get, we’re all still humans — and humans are creatures of habit. We trust our colleagues, so we often openly share personal information and passwords: on sticky notes, in collaborative online files, or through channels like Slack, Teams, and email.

The thing is, even the strongest of passwords can land you in hot water if you need to share it and you don’t have a safe way of doing so.

So what are the options?

How to share passwords safely

Different organizations have different processes depending on their size, industry, and what they do.

While there’s no magic tool that works perfectly for everyone, there is a decision-making process you can put in place to share passwords safely, no matter what your organization’s specific situation is.

We’ll go through that process in detail soon, but first, let’s consider the following.

  • Using individual accounts rather than ones you share with others is a more secure option, so aim to do this wherever you can.
  • If your organization has a Single Sign-On solution, use this instead of setting a new, individual password for each account. A Single Sign-On solution lets you use just one set of login details to access multiple platforms. A common example you might have come across is being able to log in to Slack or Zoom with your Google login details.
  • If you have an IT support team, always check with them before sharing passwords — they may already have a process you can follow.

If there isn’t an existing process to follow and you definitely need to share a password, there are some simple ways to make the process safer for everyone.

When you’re sharing a password, it’s important to not leave it anywhere it could be found by someone other than the person you’re sharing it with — for example, in a text message or email that others could see.

Here are some options for making sure that doesn’t happen.

  • Use a communications channel that’s different from how you usually communicate at work — so if you mostly use email, share the password via text message, or by calling or talking to the person face to face. This is so you’re not putting all your eggs in one basket — even if your communications are intercepted on one channel, everything isn’t put at risk. If you use a digital channel, delete the message (both at the sender and receiver’s ends) once you’ve shared the password, so it’s not in anyone’s communications history.
  • Use your password manager’s built-in sharing features. 
  • You might also consider using secret links that get erased once they’re accessed or disappearing messages that delete after a short period of time.

Another common scenario for password sharing is when you’ve set up a new account for someone else to use, and you won’t need to know what the password is in future. In this case, check if the platform has any options where you can require that the password needs to be changed when the next person logs in.

Your password sharing plan

Now that we’ve covered the basics, let’s make an action plan for sharing passwords.

First of all, we need to work out what type of password you need to share. There are two main types.

  • Unique: Intended for individual use and linked to an individual’s email address. For example, an individual’s password for an online tool like Canva or Trello.
  • Non-unique: Intended for team use and linked to a shared email address. For example, a password shared by a marketing team for a company social media account.

If the password is unique and you need to share it, follow these guidelines.

  • Password managers make our lives easier by offering password generation, storage, and sharing functions. 
    • If your organization already has a password manager, use its sharing function to share the password.
    • If not, share these details as described above, using a communications channel that’s different to how you usually communicate at work. If you use a digital channel, delete the message (both at the sender and receiver’s ends) once you’ve shared the password, so it’s not in anyone’s communications history.
  • Once the person has logged in, get them to change the password.
  • Make sure the new password they choose is:
    • Unique: not used for any of their other accounts
    • Long: at least 16 characters
    • Complex: using a combination of upper and lowercase letters, numbers, and special characters
    • Or better yet, have them set up an auto-generated password in their password manager, and that handles all the heavy lifting of making sure the password is secure.
  • If possible, get them to also set up two-factor or multi-factor authentication.

Diagram of how to share unique passwords in an organisation

If the password is non-unique, follow the instructions below.

  • Check the shared email address linked to the account, and make sure people on the team have access to it. This is so that if you need to reset the password at any point, you can access the inbox and get the password reset email.
  • Make sure the password for the account is unique, long, and complex.
  • Check if your organization uses a password manager
    • If yes, use its sharing function to share the password. 
    • If not, share these details as described above, using a communications channel that’s different from how you usually communicate at work. If you use a digital channel, delete the message (both at the sender and receiver’s ends) once you’ve shared the password, so it’s not in anyone’s communications history.
  • If possible, set up two-factor or multi-factor authentication on this account. This might be tricky to do as your account is shared, but we still recommend adding it as an extra layer of protection. Password managers often have this feature built into them.

Diagram of how to share non-unique passwords in an organisation

Ready to learn more about cyber security?

At SafeStack, we believe we can all play a part in creating safer workplaces. By making basic cyber security practices — like secure password sharing — an everyday element of how your organization works, you’ll be in a much better position to protect the data and information you work with.

It’s never too early or too late to learn more about cyber security. Get started on our free plan today — as well as essential courses on secure development, you’ll get also get security and privacy awareness courses that help everyone on your team build the skills they need to stay safe online.

We love to hear from you

If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at support@safestack.io and let us know what you think.

Related posts
  • How to be secure when you are small (Part 2)
  • Five common security impacts from cost saving measures
  • How to be secure when you are small (Part 3)