Is it ever a good idea to share office passwords?

sharing office password security
At first glance the answer is obvious. No, of course we should never share our passwords, why would we? 

I agree and yet, here’s an oddity: we often encounter small companies where password sharing is common. It may not be obvious at first but with a little digging the practice turns out to be the norm. 

In fact, anecdotally, I would say offices in which some degree of password sharing goes on are more common than those that absolutely ban it.

Why password sharing is not a good idea

Before looking at why password sharing happens, it’s worth taking a moment to consider why it’s such a bad idea. 

Your password is your virtual office key. Together with your login name, it gives you access to those parts of your office IT system that you’re entitled to access. 

It is usually the case, at a minimum, that management, finance and operational staff have different access rights. Sometimes, operational staff may also be divided by project or department. There is only one way of controlling these access rights and that is by issuing passwords with the assumption that they’ll be kept secret — i.e. uniquely tied to the users to whom they are issued. 

Users can change their own passwords and basic good security practice is that no one, including the IT department, should know your password and no one should ever ask you for it. Without this basic good practice, we lose that crucial link between named individuals and their system access rights. In an office in which password secrecy is not sacrosanct there is no reliable audit trail of who did what on the system and everybody has a watertight shield of deniability – someone else must have used my password.

Why it’s a terrible idea

Without password secrecy as a rock-solid, unbreachable policy, any idea of network security is meaningless.

But there is a more subtle psychological issue at stake here too. 

Let’s say someone asked you to share your social media or bank login credentials. Would you do it? Probably not. That’s because there’s something important to you at stake – i.e. your reputation or your bank balance.

Now, even if you run a truly hierarchy-free company with absolutely no differences in access rights, if you allow or encourage your users to be casual about sharing their system passwords you’re making the statement that there’s nothing on your IT system worth protecting. 

So if you then try to convince your staff that you care about business security they’re simply not going to believe you. Bear in mind that employees are your first, and sometimes only, line of defence against the various cyber fraudsters out there looking to relieve your company of money. 

To put it another way: If your staff think you don’t care about security, they won’t either.

Why we do it anyway

OK, there’s nothing controversial there, we all know we shouldn’t share our passwords. So why is it such common practice? Here are a few reasons we come across and some ideas about how to tackle them:

Senior people

Senior people: amongst the worst offenders and the biggest risk to the company. 

Directors, owners and senior managers often have responsibilities that still need to be discharged when they’re not in the office. For this reason, they commonly share their passwords with their assistants and fellow senior managers. 

If it is common knowledge that the MD’s assistant or office manager knows his or her password, then you can forget about convincing others that they shouldn’t share theirs. 

The answer here is to analyse what these special responsibilities are and ensure that senior people have the necessary equipment to discharge them using mobile devices. Here’s a great example of security awareness and seniority not fitting well together.

Holidays and sickness

Holiday and sickness cover: if somebody, e.g. a salesperson, is away on holiday or off sick somebody else needs to be able to log on to their computer to check their emails or other files. 

It is beyond the scope of a short article to explain the configuration steps, but it is straightforward for your IT to configure permissions in such a way that these eventualities can be covered without throwing security out the window.

The all-seeing eye

The all-seeing eye or just in case: based on negative experiences with other companies, office managers are sometimes convinced that the only way to make sure they are in control is to maintain a list of all user passwords. This is a terrible idea both because users don’t tend to keep the office manager updated when they change their passwords and because, for obvious reasons, security is weakened by keeping an accessible (even if not easily) list of commonly used passwords on your network (or in your desk drawer). 

As above, IT can easily configure your system to cover your access to data when people leave, or other unforeseen events occur.

One simple question

There are plenty of other reasons, all equally unnecessary. If you are in the position of trying to end password sharing in your company a good way to tackle it is as follows:

  • Ask the question, “what precise problem are we solving by sharing this password?”
  • The only answer that’s not allowed is that there’s no precise problem and your’re sharing it “just in case” 
  • Once you have identified the problem, before agreeing to share the password, ask IT if there is any other way of solving the problem.

There always is. And if they don’t have a solution you can always ask me. In fact, I would welcome the challenge of a password sharing scenario to which I couldn’t come up with a secure solution.

Other passwords

For the purpose of this article, I have only been looking at the passwords used to access office systems. There can still be a need to share passwords for online systems where, for example, you need to give credit card details for each user on the system and you only need one, e.g. for a domain registration. In a case like this it remains a terrible idea to keep a list of usernames and passwords. Instead, use a multi-user password manager such as LastPass.

Starting point

If you are looking for a place to start in tackling information security and anybody in your office shares their password as a matter of common practice, I hope this article has given you your starting point. 

And, remember, if you find a scenario that hasn’t been addressed here or can’t be solved by your IT people, I would welcome the challenge.

You can always get in touch with us here.

Useful links

Microsoft Blog – Your Pa$$word doesn’t matter
Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

How to Spot a Fake Email, Part 2: The Anatomy of a Scam

In our post on how to spot a fake email, we covered some easy ways to identify the spams, scams and spoofs that inevitably land in your inbox.

But it’s not easy to write one post covering everything. And it’s not uncommon for us to receive a few reports a day from our clients of scamming: there’s a lot of it out there, much of it increasingly hard to identify.

That’s why we’re going to break it down further today and take you through the anatomy of a scam email.

Read More »
how to tame your inbox

How To Regain Control of Your Inbox

Remember the days when your inbox was all shiny and new and empty? When every email arrived with an excited “ping” and you enthusiastically dove in to read and reply? 

Us neither.

Let’s face it, most inboxes nowadays are more like tentacled sea-monsters. They have you in their grasp, not the other way around. They’re uncontrollable. They’re scary.

Read More »
why you need multifactor authentication

Why Use Multi-Factor Authentication?

As we move increasingly towards online services, securing your account is more important than ever.

While computer viruses still exist, they’re no longer the route of choice for hackers to get control of your data. Instead, the prevalence of online services means that the bad guys are targeting your cloud services, such as your email and file storage.

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top