Sharing passwords in the workplace is a common practice. According to our Workplace Password Malpractice Report,46% of employees in the U.S. share work-related passwords for accounts that are used by multiple co-workers. More than a third (34%) share passwords with co-workers on the same team, 32% share passwords with managers, and 19% share passwords with company executives.
However, password-sharing can be very risky if it’s not done securely. A password that falls into the wrong hands can result in a ransomware attack, a data breach, or the organization being found out of compliance because unauthorized parties viewed protected data. Here are 4 rules to ensure that your organization is engaging in safe password-sharing.
1. Avoid shared passwords whenever possible
Password-sharing should be the exception, not the rule. Ideally, all employees should have their own, unique login credentials to every service and app, as this simplifies access control and enables IT admins to apply granular security policies on the user level. Avoid having employees share passwords to common resources unless it’s absolutely necessary.
2. If employees must share passwords, make sure it’s done safely
Sometimes, it’s simply not realistic to give all employees a separate login to a shared resource. In these cases, security measures must be taken to ensure that passwords are shared securely and only with authorized parties. In many organizations, that’s not happening. Our study found that 62% of U.S. employees have shared a work-related password over an unencrypted text message or email, which could be intercepted by cybercriminals in transit.
In addition to causing security problems, sharing passwords through email or text messages is horribly inefficient. Emails and text messages get lost, leaving employees searching for lost passwords and submitting help desk tickets. If the organization needs to change the password, IT admins must individually notify every affected employee of the change. They also need to ensure every new hire is given the shared passwords they need to do their job.
The safest and most efficient way to have employees share passwords is to deploy an enterprise password management platform such as Keeper, which enables IT admins to set up shared folders for individual groups, such as job classifications or project teams, then grant individual users access to that folder.
Meanwhile, employees can easily access their shared passwords — and all of their other work-related passwords — by logging into their secure Keeper vault, which they can access from any device, running any operating system. They’ll never lose track of a password again, and if an IT admin changes a shared password, the change is reflected immediately in their Keeper vault.
3. Reset shared passwords whenever someone leaves the company
One of the most concerning findings from our report is that 32% of U.S. employees have accessed an online account belonging to a previous employer, indicating that many organizations do not disable accounts, or change shared passwords, when employees leave the company.
Regardless of the situation under which an employee leaves the company, IT admins should immediately disable all of their personal accounts and reset any shared passwords the employee had access to. This is another task that’s greatly simplified when using an enterprise password management platform like Keeper. Keeper enables admins to disable accounts and reset shared passwords within minutes. Additionally, admins have the option to save a former employee’s Keeper account for later transfer to their successor.
4. Don’t skimp on security measures for shared passwords
Shared passwords should follow the same security rules as all other organizational passwords.
- Passwords must be strong, consisting of a random string of uppercase and lowercase letters, numerals, and special characters. This string should be at least eight characters long, preferably longer, and contain no dictionary words.
- Never reuse passwords across accounts. Give every shared account a unique password.
- Enable multi-factor authentication (2FA) on all accounts that support it. Even a strong, unique password can end up compromised, but with 2FA in place, cybercriminals won’t be able to access the account without the second factor.
Keeper’s zero-knowledge, enterprise-grade password security and encryption platform gives IT administrators complete visibility into employee password practices, enabling them to monitor adoption of password requirements and enforce password security policies organization-wide, including strong, unique passwords and multi-factor authentication (2FA). Keeper takes only minutes to deploy, requires minimal ongoing management, and scales to meet the needs of any size organization.