Step 3: Provide a Password Manager to Your Team

Password managers are a handy tool you are already familiar with since you use one for your personal life (especially after reading and going through Part I). You probably already store the password you use for your business in your personal password manager because that is the safest thing to do. Great!

Password managers aren’t specific to email, but while we are on the topic of shared and individual email accounts, it is an important elephant in the room to address: how will my employees create and store their passwords?

We can remove any thinking about “unique and strong passwords” by using a password manager to auto-generate a strong one for you. We can also remove any thinking about “safe storage” by storing them in a password database that is protected by layers of security. All we need to memorize (to access all our passwords) is one master password.

But what makes a business password manager different? Should you use the same password manager for your business as you do your personal life? What about your employees? Do they really need one? These are all valid questions, and possible to solve with some upfront thinking now:

1. Do they need to access any applications or emails that have a single, shared account?

2. Do your employees have an individual email account they need to access?

3. Do your employees have their own individual online applications or systems they need to access?

If the answer to (1) is yes, you need a password manager for your team to share the password. This is the best, safest way to keep that password safe so that it isn’t lost or stored in the open, such as on a Post-it Note under the keyboard of the office computer. (Sorry, that might have felt too real!)

If the answer to (1) is no and both (2) and (3) are yes, you need a password manager.

If it is only yes for one of (2) or (3), let’s try flexing and developing some security risk exercises and thinking:

• What would happen if their account was accessed by someone else? What is the worst that could happen with that access?

• How would I know if their account was accessed by someone else? Would it just go unnoticed until something bad happened?

If the “worst-case scenario” makes you nervous, give your team and yourself the tools needed to avoid that situation:

• If your employees only have access to an online system where they record their timesheets or clock ins/clock outs (and there is no other sensitive information), you probably don’t need a password manager.

• If your employees have access to online systems where all your suppliers, customers, and order details are stored, a password manager is a good idea.

• If your employees have access to the shared email you use to communicate with all your customers, or if they have access to your social media accounts (which are usually shared accounts), a password manager is a required tool.

If ever in doubt on which side of the “do I, don’t I” risk thinking you are, opt for peace of mind and go with the additional security. If your business is growing, it will be a part of your organization eventually, and it would be good to practice and promote that good security culture now.

How to Pick Your Business Password Manager

Password managers often provide their products under the banner of “personal or family use” or “business or enterprise use.” Under the hood, the technology is the same. Whether you create a “family account” or “business account” doesn’t matter—what matters are the features you have access to.

We won’t re-explain the other characteristics that are important to consider when we pick one for your personal use. Instead, we will introduce the “step up,” or additional features, you will need now that you have a different context that you are using it in.

The password manager for your business requires a few features that you might not have needed before.

• Ability to set up accounts for each individual, and give them access to different groups or folders that store passwords. This is what us technical and manager folk call granular access controls and enforcement of the principle of least privilege. It means being able to give people access to the things needed to do their job, and nothing else. Less access means fewer mistakes and less chance for something to go wrong. It is something good to practice now, as it will be a skill and way of thinking you exercise a lot more as you get systems you need to give people access to.

  Being able to create a folder, vault, or group that has access to specific passwords is a great way to practice granular access controls. You might have employees that only need access to one or two applications, and a second-in-command who needs access to four to six applications, and then yourself who needs access to them all. You can have a folder with your basic tools, a folder for your management tools, and then a private folder just for yourself. Ideally access could be granted to these folders individually.

• Ability to share a password, folder, or group of passwords with someone else, so you can both view and edit it as needed. There are going to be applications that you just can’t make individual accounts for. For example, most social media accounts don’t let you assign other users who can manage your business’s page or account. This means you have to manage it from a shared username and password.

  There will also be accounts that, frankly, you’ll just share to save money. If your small business periodically uses design software to create posters or other digital marketing assets, you aren’t going to buy a license for everyone on your team who might help out with that (sorry, big digital software companies). You also won’t have everyone using that software at the same time—it is shared around as the work is shared around. If it costs way too much for you to buy multiple licenses for the context and use cases you have, you need to be able to share and manage that password safely.

  Being able to access the same password record stored in your team’s password database is the most effective way to handle that. If one of your staff is using that software, and they are being prompted to reset their password, you want them to be able to set it to another unique, strong password—without having to just increment a number at the end of the old password, or write it down on a Post-it so everyone can update the password spreadsheet they keep on their computers (no shame, we did this many moons ago too, it is just a technique that doesn’t work anymore).

• Ability to set up 2FA so your password manager will provide you a one-time password or token (just like your phone and mobile app does). So, it already makes sense why you need to be able to share passwords. But how do we share passwords to accounts AND have 2FA? Surely, it just can’t be done. Can you imagine having to call your teammates every time you want to log in, to have them give you a code sent to their phone? Nightmare.

  The good news is password managers help here too. Just like your OTP mobile app generates a random code every 30 seconds, so can your password manager. This is important because you will have to share some very important accounts. Think about shared inboxes, social media accounts, and online banking. These need to have 2FA, and you can use the one in your password manager to avoid any disruption to your lives.

  I can hear the chorus of security folks out there screaming against this advice. Having your 2FA AND password in the same place? Then what is the point of 2FA?! I am not saying this is the perfect, ideal situation for protecting an account, but is the one that will work for you and your employees without causing any rift or frustration. The two-factor code still rotates, the same way an app does. And the password manager enables you to make strong, unique, long passwords. These are two valid defenses against an attacker trying to break into your account or trick you into giving them access—and they help you run slightly faster than the bear that is chasing you.

An important factor to also consider is price. Good news: most of them are very cheap. We are talking anywhere from $1-4 a month, per user. You can even get by with a “family plan,” if you are going to stay a small team, and still get the features above that you need. Family plans usually give you at least five users to invite, and charge you a flat monthly rate for the whole group. The difference between the two options are just a few bucks a month, so be sure to give everyone in the business an account if they have passwords they need to protect.

Most of the password managers that you would have researched for personal use tend to provide team or business plans that have the important features we covered. I have personally found 1Password and LastPass quite easy to use for a small team.

Alternatives to a Password Manager App

If you don’t want to get into the business password manager game just yet, I understand. It is probably already daunting to use one for your everyday life; teaching your employees about them might be a step you are not ready to take.

The time will come where password managers are more of a “norm” rather than an exception. In truth, this has already started—browsers have their own built-in password storage options that require little effort on your part. Password managers will also become a much more effective tool when you reach the next stage of growth; you won’t be able to avoid it then.

The options we have discussed so far are cloud-based password managers, which store passwords as a service online (in the cloud). We recommend these in most cases as they tend to provide you the features you need to work with multiple devices and multiple team members.

There are also self-hosted password manager options that store passwords locally on your computer or device. The downside of these is that it requires your employees to protect where the password database is hosted, which is often a step in the wrong direction in terms of ease of training and use.

Browser-based password managers are the password managers offered by your browser, such as Chrome, Safari, or Microsoft Edge. These are a decent middle ground if your employees don’t share their devices with non-work people, and if the device is protected with a PIN or password, and not left unlocked and lying around in open spaces. If that is not the case, cloud-based password managers are still your best option.

One of the great features of newer browsers is that they come with new password management features. The latest versions of Firefox, Chrome, and Edge all have their version of this feature, and you have seen it in action if you have seen pop-ups asking to save your password to your browser when you log into a website.

The downside to browser-based password managers is that you can’t share access to passwords with your team, which also means you also can’t revoke access to that password when your employees no longer need them. When you give your employees any shared passwords, you will have to communicate with each other when it changes to make sure you don’t lock each other out. This option also depends on your staff keeping the device they log in with safe. So if they use their personal device, if they share the device with people outside the business, or if they often leave the device unlocked and accessible by anyone—this option won’t be a great idea.

At the end of the day, something is better than nothing—this is better than the alternative of using a Word document on their desktop, a pad of paper they keep at their desk, or “hidden” in a note field in their Contacts. They can rely on this browser feature to use different layers of encryption to keep those passwords safe.