In certain situations, sharing an account username and password may seem unavoidable, such as in small businesses where per-user costs for software or services can be prohibitively expensive. While this practice comes with inherent risks, there are strategies and best practices that can be implemented to protect both the individual users and the organization as much as possible. This article will guide you through essential steps and measures to secure shared accounts effectively.
First, Make Sure You *Have* To Share!
Individuals with their own logins to various systems (i.e. having their own usernames and passwords) is *always* better than two or more people using the same account. The benefits of one account per person are:
- Better security.
- The opportunity to fine-grain the permissions/privileges that different users have.
- The opportunity to track who did want and when in a system.
- The opportunity to disable/delete that account if/when the individual moves on, without impacting other users.
Maybe you assumed that each additional user account incurs a cost, but in fact this is not the case? Check first!
Pros of Sharing Passwords
- Convenience: Sharing passwords can be convenient, especially among family members or close friends, to access shared services like streaming platforms, utilities, or shopping accounts.
- Cost Efficiency: It allows for cost-sharing of subscription services, making it more affordable for all parties involved.
- Collaboration: In a work setting, sharing passwords can facilitate collaboration on projects or tasks that require access to common tools or documents.
Cons of Sharing Passwords
- Security Risks: Sharing passwords increases the risk of unauthorized access. If one party’s device is compromised, it can lead to a security breach affecting all who share that password.
- Loss of Control: Once a password is shared, control over who else might have access is diminished. The more a password is shared, the harder it becomes to track who has access.
- Identity Theft: If personal accounts are accessed, identity theft can occur, affecting not just the individual whose password was shared but also potentially others linked to the compromised accounts.
- Potential for Misuse: Shared passwords can be misused, intentionally or unintentionally, leading to unauthorized transactions, changes to accounts, or exposure of sensitive information.
- Reputational Damage: For organizations, a security breach resulting from shared passwords can lead to reputational damage and loss of trust among clients or customers.
- Compliance Issues: For businesses, sharing passwords can violate policies or regulations, such as GDPR, HIPAA, or other privacy laws, potentially leading to legal and financial repercussions.
Best Practices for Secure Password Sharing
- Establish Clear Guidelines: Create a policy that outlines who has access, what they have access to, and the acceptable use of shared accounts. This ensures everyone is on the same page and understands their responsibilities.
- Use Strong, Unique Passwords: Even when sharing passwords, ensure they are strong (a mix of letters, numbers, and symbols) and unique to each account. This reduces the risk if one account is compromised. Often, and increasingly, software systems will require strong passwords.
- Implement Password Management Tools: Password managers can securely store and share passwords among users without revealing the actual passwords. They also enable you to change passwords easily and quickly distribute the new credentials to authorized users. Major players are: LastPass (Teams version), 1Password, Bitwarden, KeePass (local storage only, i.e.not cloud-based), Keeper and Dashlane.
- Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security. Ensure that all users who access the account have MFA enabled on their devices, making it more challenging for unauthorized users to gain access. Note that various 2FA (two factor authentication) / MFA methods exist, some which still permit account sharing, some which don’t.
- Limit Access: Only share passwords with individuals who absolutely need access. Regularly review who has access and adjust as necessary to minimize risk.
- Monitor Account Activity: Keep an eye on the account’s activity logs, if available. Unusual activity can be an early warning sign of a security breach.
- Regularly Change Passwords: Changing passwords periodically can help protect against unauthorized access from a previously shared password. Ensure all users are promptly informed of the new password.
- Educate Users: Make sure that all users understand the risks associated with sharing passwords and are aware of how to secure their devices and personal data.
Additional Considerations for Shared Account Security
- Legal and Compliance Risks: Understand the legal and compliance implications of sharing accounts in your jurisdiction or industry. Some software licenses or regulations may prohibit sharing credentials, and non-compliance could result in penalties.
- Plan for User Turnover: Have a process in place to change shared passwords and secure accounts whenever someone with access leaves the organization or no longer requires access.
- Use Shared Access Features When Available: Some services offer account-sharing features that provide individual logins under a single subscription, i.e. no additonal cost. Whenever possible, utilize these features to minimize risks.
Conclusion
While sharing usernames and passwords is not ideal due to the inherent security risks, there are circumstances where it might be necessary, particularly for small businesses looking to save on costs. By following the best practices outlined above, you can significantly reduce the risks associated with sharing passwords. It’s about finding the right balance between cost-saving measures and maintaining a strong security posture to protect your business and its data.