Secure Password Sharing

TL;DR

Don’t email passwords! Use a password manager or secure sharing tool. Avoid reusing passwords and enforce strong, unique ones across your organisation.

How to Share Passwords Securely

1. Stop Emailing Passwords: This is the biggest mistake. Emails are not secure and can be easily intercepted.
2. Password Managers (Recommended): These tools create, store, and share passwords securely.
   • Popular Options: 1Password, LastPass, Bitwarden. Many offer business plans with team features.
   • How they work: Users have individual accounts, and admins can control access to shared passwords. Passwords are encrypted both in transit and at rest.
   • Example (LastPass): Share a folder with specific users who need access to certain website logins.
3. Secure Sharing Tools: If a password manager isn’t feasible, use dedicated secure sharing tools.
   • Options: Keeper, NordPass (some offer limited free tiers).
   • Features: Secure notes, password generation, and controlled access.
4. Temporary Access (Use with Caution): For short-term access, consider these methods.
   • SSH Keys: For server access, SSH keys are much more secure than passwords.

     ssh-keygen -t rsa -b 4096

   • Time-Limited Tokens: Some services allow generating temporary tokens with expiry dates.
5. Password Policies (Essential): Enforce strong password practices.
   • Minimum Length: 12 characters or more is recommended.
   • Complexity: Require a mix of uppercase, lowercase, numbers, and symbols.
   • No Reuse: Prevent users from reusing old passwords. Many password managers can detect this.
   • Regular Changes: Encourage (or require) password updates every 90 days.
6. Multi-Factor Authentication (MFA): Add an extra layer of security.
   • How it works: Requires a second verification method (e.g., code from an app, fingerprint scan) in addition to the password.
   • Enable MFA everywhere possible: Email accounts, cloud services, VPNs, etc.
7. Educate Your Team: Train employees on secure password practices.
   • Phishing Awareness: Teach them to identify and avoid phishing attempts.
   • Password Manager Training: Show them how to use the chosen password manager effectively.
   • Reporting Procedures: Establish a clear process for reporting suspected security breaches.

What NOT To Do

• Don’t write passwords down on paper.
• Don’t store passwords in plain text files.
• Don’t use easily guessable passwords (e.g., ‘password123’, birthdays).
• Don’t share passwords over instant messaging apps.