Is it ever a good idea to share office passwords?

sharing office password security
At first glance the answer is obvious. No, of course we should never share our passwords, why would we? 

I agree and yet, here’s an oddity: we often encounter small companies where password sharing is common. It may not be obvious at first but with a little digging the practice turns out to be the norm. 

In fact, anecdotally, I would say offices in which some degree of password sharing goes on are more common than those that absolutely ban it.

Why password sharing is not a good idea

Before looking at why password sharing happens, it’s worth taking a moment to consider why it’s such a bad idea. 

Your password is your virtual office key. Together with your login name, it gives you access to those parts of your office IT system that you’re entitled to access. 

It is usually the case, at a minimum, that management, finance and operational staff have different access rights. Sometimes, operational staff may also be divided by project or department. There is only one way of controlling these access rights and that is by issuing passwords with the assumption that they’ll be kept secret — i.e. uniquely tied to the users to whom they are issued. 

Users can change their own passwords and basic good security practice is that no one, including the IT department, should know your password and no one should ever ask you for it. Without this basic good practice, we lose that crucial link between named individuals and their system access rights. In an office in which password secrecy is not sacrosanct there is no reliable audit trail of who did what on the system and everybody has a watertight shield of deniability – someone else must have used my password.

Why it’s a terrible idea

Without password secrecy as a rock-solid, unbreachable policy, any idea of network security is meaningless.

But there is a more subtle psychological issue at stake here too. 

Let’s say someone asked you to share your social media or bank login credentials. Would you do it? Probably not. That’s because there’s something important to you at stake – i.e. your reputation or your bank balance.

Now, even if you run a truly hierarchy-free company with absolutely no differences in access rights, if you allow or encourage your users to be casual about sharing their system passwords you’re making the statement that there’s nothing on your IT system worth protecting. 

So if you then try to convince your staff that you care about business security they’re simply not going to believe you. Bear in mind that employees are your first, and sometimes only, line of defence against the various cyber fraudsters out there looking to relieve your company of money. 

To put it another way: If your staff think you don’t care about security, they won’t either.

Why we do it anyway

OK, there’s nothing controversial there, we all know we shouldn’t share our passwords. So why is it such common practice? Here are a few reasons we come across and some ideas about how to tackle them:

Senior people

Senior people: amongst the worst offenders and the biggest risk to the company. 

Directors, owners and senior managers often have responsibilities that still need to be discharged when they’re not in the office. For this reason, they commonly share their passwords with their assistants and fellow senior managers. 

If it is common knowledge that the MD’s assistant or office manager knows his or her password, then you can forget about convincing others that they shouldn’t share theirs. 

The answer here is to analyse what these special responsibilities are and ensure that senior people have the necessary equipment to discharge them using mobile devices. Here’s a great example of security awareness and seniority not fitting well together.

Holidays and sickness

Holiday and sickness cover: if somebody, e.g. a salesperson, is away on holiday or off sick somebody else needs to be able to log on to their computer to check their emails or other files. 

It is beyond the scope of a short article to explain the configuration steps, but it is straightforward for your IT to configure permissions in such a way that these eventualities can be covered without throwing security out the window.

The all-seeing eye

The all-seeing eye or just in case: based on negative experiences with other companies, office managers are sometimes convinced that the only way to make sure they are in control is to maintain a list of all user passwords. This is a terrible idea both because users don’t tend to keep the office manager updated when they change their passwords and because, for obvious reasons, security is weakened by keeping an accessible (even if not easily) list of commonly used passwords on your network (or in your desk drawer). 

As above, IT can easily configure your system to cover your access to data when people leave, or other unforeseen events occur.

One simple question

There are plenty of other reasons, all equally unnecessary. If you are in the position of trying to end password sharing in your company a good way to tackle it is as follows:

  • Ask the question, “what precise problem are we solving by sharing this password?”
  • The only answer that’s not allowed is that there’s no precise problem and your’re sharing it “just in case” 
  • Once you have identified the problem, before agreeing to share the password, ask IT if there is any other way of solving the problem.

There always is. And if they don’t have a solution you can always ask me. In fact, I would welcome the challenge of a password sharing scenario to which I couldn’t come up with a secure solution.

Other passwords

For the purpose of this article, I have only been looking at the passwords used to access office systems. There can still be a need to share passwords for online systems where, for example, you need to give credit card details for each user on the system and you only need one, e.g. for a domain registration. In a case like this it remains a terrible idea to keep a list of usernames and passwords. Instead, use a multi-user password manager such as LastPass.

Starting point

If you are looking for a place to start in tackling information security and anybody in your office shares their password as a matter of common practice, I hope this article has given you your starting point. 

And, remember, if you find a scenario that hasn’t been addressed here or can’t be solved by your IT people, I would welcome the challenge.

You can always get in touch with us here.

Useful links

Microsoft Blog – Your Pa$$word doesn’t matter
Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

How Safe Is Your Fish Tank?

What on earth is this one about, I hear you ask? The Internet Of Things, that’s what; those millions of things that connect to the internet, like your home central heating, your toaster, webcams, children’s toys and yes, even fish tanks, allowing them to send you messages and alerts, or to be controlled and managed from your smartphone.

Read More »

Better Web Privacy – Browsers, Trackers & Blockers

Surfing the web in private is a minefield.

Everywhere you go, something is watching you, tracking your search results and the pages you visit.

And more often than not the goal is to target you with advertising based on the things that you’re probably interested in (probable because hey, that’s what you’ve been looking at isn’t it?)

Read More »
travel booking apps for business

Trip planning? Try these 5 must-have travel apps.

If you’re in charge of booking staff travel, you know all too well how time-consuming it can be. 

How do you find a flight that gets there on time and in budget? How do you search multiple airlines and booking platforms at the same time? 

How do you avoid sneaky fees, confusing information and misleading quotes? And how do you keep track of all the travel details once everything is booked?

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top