If there's one single problem across every client I've worked with in the last 20 years, it's how to keep track of passwords. There are so many passwords! Your website login, social media access, domain registration, hosting dashboard, software licenses, email accounts, the list is endless. How do you keep track of it all AND not rely on one person who may or may not be around AND not have weak passwords?
You either have one go-to person who seems to know everything about everything, or each login belongs to the person who originally set it up. But what happens if that one person goes on vacation or retires? What happens when your domain registration was set up by a volunteer three years ago, and no one know where that person is anymore?
These are the problems I've seen come up when those logins are nowhere to be found:
- Your website goes down and you need help from your web hosting company. They can't help you unless you can verify your account with a PIN number. Who has that number?
- Your domain expires because the credit card on file is no longer valid. Now, both your email and your website are offline. How (and where?) do you login to update the payment info?
- You haven't used your social media accounts since so-and-so got a new job. Now you want to start posting to Twitter and Instagram again. What's the login?
- Your staff has changed since your website was built, and you have no idea who to contact to get access. You can get a new web person, but you have no clue how to find the login info they need to work on your site. Now what?
- Google Analytics is set up on your site, but no one know who set it up and which email was used to log in. How do you get access?
These are all real situations that we've encountered with our clients. Some of them were never solved, and we had to start over with a new account. Some of them we were able to follow a cookie crumb trail to get access, but it took many many days (sometimes weeks) to finally get in.
At best, it's very frustrating, and at worst it can be outright damaging to your organization. What if a disgruntled former employee decides to use your Twitter account to post inappropriate stuff? What if your website goes down during a fundraising campaign? What if you lose your domain name that you've had for decades?
How to keep track of your passwords
Disclaimer: My advice here is coming from the point of view of someone who logs in and out of accounts all day long, manages hundreds of passwords, and has personal experience problem-solving with small organizations who have good intentions but no reliable system. If you're an IT security professional, you may advise that some of these recommendations are imperfect, and I would agree. On a practical level, an imperfect system you can stick with is far better than a perfect system that isn't used at all.
For my clients and others in similar organizations, I want you to be able to keep track of your accounts in whatever system works best for you, in a way that is reliable, secure, and usable.
What NOT to do:
- Do not use simple passwords because they're easier to remember
- Do not use the same password on multiple accounts
- Do not share logins and passwords on accounts that allow multiple users.
- Do not use personal email addresses for logins (e.g. email@example.com or firstname.lastname@example.org)
- Do not have all passwords dependent on one person to access them
Do this instead:
- Use a strong, unique passwords on every account
- Give each person their own login whenever possible
- Always use business/organizational emails for usernames (e.g. email@example.com)
- Give key people access as a backup, or use a team email
- Add a team email that can be used for a password reset if needed
- Have an internal system to track login usernames and emails (without a password, all you need is access to the email where a reset can be sent)
Use organizational emails, NOT personal emails
- All logins should use organizational emails @yourorganization.org. Never use personal emails, no matter whether it's a founder, board member, volunteer, or web designer. Don't have organizational emails? It's time to set that up. It can be a simple email forward, and doesn't need to be a separate inbox.
- Create an email that can be used for verification codes. This might be firstname.lastname@example.org, IT@yourorg.org, email@example.com. These should go to your office manager, project manger, marketing director, web team, or whoever else makes sense.
- For accounts that allow it, add collaborators or additional users instead of everyone using the same login and password
Better yet, use a password manager
You need a good password. Period. One that is not a dictionary word or someone's name. You need a different password for EVERY website or account you log into. Why? Because if you have a login for your grocery store, and their user data gets compromised, some bots out there have your username, email, and password. If you use the same login across all your accounts, those people now have your bank login, your credit card login, the login for your patient portal, your kids' school account.
Don't believe me? Check your email here: Check if your email of phone is in a data breach
But it's a huge pain to keep track of complicated passwords for every.single.frickin.website you login into. Who can remember all those? No one can. That's why you need a password manager.
The one I use is 1Password. It allows me to have passwords like cqw*DEG6eqc9jhk7zpm for every site I log in to. That one was just autogenerated with a click of a button on my 1Password (and is not one of my passwords, btw). Do I remember my passwords? Nope. Do I know what a single one of my passwords is? Nope. Do I have a super secure password FOR 1Password? Absolutely.
The other perk of a password manager is that it will notify you if there is a problem w ith your password. For example, if it's too weak, has been reused in other places, or has been part of a breach.
For businesses and organizations, I'd recommend signing up for a team account, which allows you to share passwords with different groups of people. For example, I have two folders in my account, one with passwords I share with my team, and a separate one for passwords only I have access to.
It's important. Make is a priority.
For someone who is a designer, I seem to spend a lot of time harping on secure passwords. There's good reason for it. Most of the time wasted by me and my team is trying to log into accounts where clients don't know their passwords. The other wasted time is if a site is compromised due to weak passwords. We have a lot of security measures in place, but there is only so much you can do if someone leaves the doors open with a password like 123login.
Need help or advise on the best way to handle your team's logins so that you don't lose access or can still share accounts? Comment below or drop me a message and I can either offer some advice or point you to some resources that will help.