How to Manage Passwords in a Team

It has always been challenging to manage shared passwords in a team setting. This challenge gets tougher when you have hundreds of team members.

Different teams have different needs, but most teams cannot escape the common business operations. That means most teams need to manage websites, servers and many accounts with third-party services, where multiple people on the team need to access.

Teams need the best practices and policy for managing many accounts on many services with many users. In our case at Hack Pacific, even with a team of 3, we are already sharing over 50 accounts for various services from social media to servers.

We’ve heard of stories where a Twitter handle of a multinational company was hacked because the related password was insecure, never changed and known by many people, including ex-employees. Therefore, we want to share our opinions on the best practices of managing passwords for both small and large teams.

6 Wrong Ways to Manage Passwords

Even after years of general educations on using secure passwords, many are still having wrong approaches on managing passwords.

Here are 6 major incorrect ways to manage your team passwords:

1. Using easy-to-remember and unsecured passwords, like ‘p455w0rd’
2. Using the same unsecured password in every service
3. Never changes password when team members leave
4. Storing passwords in a spreadsheet on a local shared drive, Dropbox or Google Spreadsheet
5. Sharing passwords in a long email thread
6. Sharing passwords via instant messages

5 Criteria for Team Password Management Solutions

There are 5 main criteria for managing team passwords.

1. Able to control different access levels for different users

If some of your team members only need to manage your business’s Twitter and Facebook, they shouldn’t have access to servers and databases. If one of your team members leave, you should be able to revoke the corresponding access easily and immediately.

2. Enforce secure passwords in your team

A secured password looks like this “pJgwVEPc2r9v3dFKeytmbskyB3qEQwss6YyiRfThj76j6b2CX7" because it’s generated by the computer. If you can remember all your passwords, you are probably doing it wrong. Although most services will lock you out if you have consecutively entered wrong passwords, a memorable and short password increases the risk of getting hacked through brute force, where a computer keeps guessing common passwords until it gets it right.

3. Ensure the password of each service is unique

If all your passwords are the same, and, for any reason, one of your passwords is leaked, all your services are exposed and in danger.

4. Avoid centralized storage of your passwords

A centralized storage implies that a single point of access to such storage will expose all your information. Practically and realistically, you should avoid it as much as possible.

5. Scalable and Usable

A good team password management solution should be easy to use and suitable for both small teams (> 1 person) and large teams (> 1,000 people).

The Best Way that We Know Of

There are many third-party services on the web to help you manage passwords within a team. We are not trying to advocate for any third-party services here. Based on first page results from Google search, there are TeamPassword, CommonKey, Dashlane, Meldium, Passpack, LastPass, SimpleSafe, Vaultier and many others.

The one we use at Hack Pacific is 1Password for Teams. Many companies are also happily using 1Password, including NASA. 1Password offers a solution that satisfies all our criteria.

Decentralized Storage and Security

1Password doesn’t have a centralized database to store all your passwords. Instead, it encrypts all the passwords and help customers store these encrypted passwords in a) local hard drive, b) Apple’s iCloud or c) Dropbox.

This allows 1Password to abstract itself from the risk of managing customers’ passwords. This infrastructure also enables users to sync passwords across multiple devices.

Different Access Level of Users

1Password allows you to invite different users to different teams. Each team has different level of access to certain third-party services. Each team member can contribute by updating / adding / deleting passwords, allowing team members to collaboratively and securely manage passwords.

Instant Access Level Management

Access level of a user can be modified or revoked instantly. The best practice after revoking is to:

1. Remove the user from the access group
2. Reset all the passwords in that access group (yes, this is troublesome but necessary)

Since 1Password will immediately take the new passwords into the database, the remaining users in the team can easily log back into these services.

Ease of Use

1Password has its mobile apps, desktop apps, web app, and Chrome extensions to help you manage your passwords. All passwords are synced across multiple devices.

With its Chrome extension, a secured password can be easily generated on the spot. Saving new passwords with the corresponding services is also well integrated with the browser.

tl;dr

There are better ways to manage passwords in a team. We hope that our opinions have helped you do it more efficiently.