Secure Shared Passwords

TL;DR

Don’t store passwords in plain text! Use a password manager designed for teams or a secure notes app with strong encryption and access controls. Avoid spreadsheets or shared documents.

Why You Shouldn’t Share Passwords Directly

Sharing passwords directly (e.g., via email, chat) is incredibly risky. Anyone intercepting the message has access. Even worse, storing them in plain text on a network drive or spreadsheet means anyone with access to that location can see them.

Step-by-Step Guide: Secure Shared Password Storage

1. Choose a Dedicated Solution: The best approach is using a password manager built for teams. Popular options include:
   • 1Password Business: A robust, well-regarded option with excellent security features.
   • LastPass Teams: Another popular choice offering similar functionality.
   • Bitwarden Teams: An open-source alternative that’s often more affordable.
   • Keeper Business: Offers a strong feature set and compliance options.

   These tools typically handle encryption, access control, and password generation for you.

2. If a Password Manager Isn’t Feasible (Temporary Solution): If you absolutely can’t use a dedicated manager right now, consider a secure notes app with these features:
   • Strong Encryption: Look for apps that encrypt data both in transit and at rest.
   • Access Control: The ability to share specific notes (passwords) with only authorized users.
   • Two-Factor Authentication (2FA): Essential for all accounts, including the secure notes app itself.

   Examples include:

   • Standard Notes: Open source and end-to-end encrypted.
   • Proton Pass: From the makers of ProtonMail, focused on privacy.
3. Set Up Access Control: Regardless of your chosen solution:
   • Least Privilege Principle: Grant users only the minimum access they need. Don’t give everyone admin rights if they just need to use a password.
   • Role-Based Access: If available, assign roles (e.g., ‘viewer’, ‘editor’) to control permissions effectively.
4. Generate Strong Passwords: Use the built-in password generator in your chosen tool. Avoid easily guessable passwords.

   # Example of a strong password generated by many tools

   A typical strong password will be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and symbols.

5. Regularly Review Access: Periodically check who has access to shared passwords. Remove access for users who no longer need it.
   • Audit Logs: Check the audit logs (if available) to see who accessed what passwords and when.
6. Enable Two-Factor Authentication (2FA): This adds an extra layer of security, even if a password is compromised.
   • Authenticator App: Use an authenticator app like Google Authenticator or Authy instead of SMS-based 2FA.
7. Educate Users: Train everyone on the importance of secure password practices and how to use the chosen solution correctly.
   • Phishing Awareness: Remind users about phishing attempts that try to steal passwords.
   • Password Reuse: Discourage reusing passwords across multiple accounts.

What NOT To Do

• Spreadsheets: Never store passwords in spreadsheets (Excel, Google Sheets). They are easily accessible and unencrypted.
• Shared Documents: Avoid storing passwords in shared documents (Word, Text files).
• Plain Text Files: Don’t save passwords as plain text files on network drives or computers.
• Email/Chat: Never share passwords via email or instant messaging.