Is it ever a good idea to share office passwords?

sharing office password security
At first glance the answer is obvious. No, of course we should never share our passwords, why would we? 

I agree and yet, here’s an oddity: we often encounter small companies where password sharing is common. It may not be obvious at first but with a little digging the practice turns out to be the norm. 

In fact, anecdotally, I would say offices in which some degree of password sharing goes on are more common than those that absolutely ban it.

Why password sharing is not a good idea

Before looking at why password sharing happens, it’s worth taking a moment to consider why it’s such a bad idea. 

Your password is your virtual office key. Together with your login name, it gives you access to those parts of your office IT system that you’re entitled to access. 

It is usually the case, at a minimum, that management, finance and operational staff have different access rights. Sometimes, operational staff may also be divided by project or department. There is only one way of controlling these access rights and that is by issuing passwords with the assumption that they’ll be kept secret — i.e. uniquely tied to the users to whom they are issued. 

Users can change their own passwords and basic good security practice is that no one, including the IT department, should know your password and no one should ever ask you for it. Without this basic good practice, we lose that crucial link between named individuals and their system access rights. In an office in which password secrecy is not sacrosanct there is no reliable audit trail of who did what on the system and everybody has a watertight shield of deniability – someone else must have used my password.

Why it’s a terrible idea

Without password secrecy as a rock-solid, unbreachable policy, any idea of network security is meaningless.

But there is a more subtle psychological issue at stake here too. 

Let’s say someone asked you to share your social media or bank login credentials. Would you do it? Probably not. That’s because there’s something important to you at stake – i.e. your reputation or your bank balance.

Now, even if you run a truly hierarchy-free company with absolutely no differences in access rights, if you allow or encourage your users to be casual about sharing their system passwords you’re making the statement that there’s nothing on your IT system worth protecting. 

So if you then try to convince your staff that you care about business security they’re simply not going to believe you. Bear in mind that employees are your first, and sometimes only, line of defence against the various cyber fraudsters out there looking to relieve your company of money. 

To put it another way: If your staff think you don’t care about security, they won’t either.

Why we do it anyway

OK, there’s nothing controversial there, we all know we shouldn’t share our passwords. So why is it such common practice? Here are a few reasons we come across and some ideas about how to tackle them:

Senior people

Senior people: amongst the worst offenders and the biggest risk to the company. 

Directors, owners and senior managers often have responsibilities that still need to be discharged when they’re not in the office. For this reason, they commonly share their passwords with their assistants and fellow senior managers. 

If it is common knowledge that the MD’s assistant or office manager knows his or her password, then you can forget about convincing others that they shouldn’t share theirs. 

The answer here is to analyse what these special responsibilities are and ensure that senior people have the necessary equipment to discharge them using mobile devices. Here’s a great example of security awareness and seniority not fitting well together.

Holidays and sickness

Holiday and sickness cover: if somebody, e.g. a salesperson, is away on holiday or off sick somebody else needs to be able to log on to their computer to check their emails or other files. 

It is beyond the scope of a short article to explain the configuration steps, but it is straightforward for your IT to configure permissions in such a way that these eventualities can be covered without throwing security out the window.

The all-seeing eye

The all-seeing eye or just in case: based on negative experiences with other companies, office managers are sometimes convinced that the only way to make sure they are in control is to maintain a list of all user passwords. This is a terrible idea both because users don’t tend to keep the office manager updated when they change their passwords and because, for obvious reasons, security is weakened by keeping an accessible (even if not easily) list of commonly used passwords on your network (or in your desk drawer). 

As above, IT can easily configure your system to cover your access to data when people leave, or other unforeseen events occur.

One simple question

There are plenty of other reasons, all equally unnecessary. If you are in the position of trying to end password sharing in your company a good way to tackle it is as follows:

  • Ask the question, “what precise problem are we solving by sharing this password?”
  • The only answer that’s not allowed is that there’s no precise problem and your’re sharing it “just in case” 
  • Once you have identified the problem, before agreeing to share the password, ask IT if there is any other way of solving the problem.

There always is. And if they don’t have a solution you can always ask me. In fact, I would welcome the challenge of a password sharing scenario to which I couldn’t come up with a secure solution.

Other passwords

For the purpose of this article, I have only been looking at the passwords used to access office systems. There can still be a need to share passwords for online systems where, for example, you need to give credit card details for each user on the system and you only need one, e.g. for a domain registration. In a case like this it remains a terrible idea to keep a list of usernames and passwords. Instead, use a multi-user password manager such as LastPass.

Starting point

If you are looking for a place to start in tackling information security and anybody in your office shares their password as a matter of common practice, I hope this article has given you your starting point. 

And, remember, if you find a scenario that hasn’t been addressed here or can’t be solved by your IT people, I would welcome the challenge.

You can always get in touch with us here.

Useful links

Microsoft Blog – Your Pa$$word doesn’t matter
Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.

Like this article?

Share on Twitter
Share on LinkedIn
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox
Subscribe Now

Further reading

How To Set Up Signatures In Outlook

Geoff Courts 5 April 2024

Email signatures are important and have a number of purposes. A well designed signature can be a real benefit to your company brand. They also provide all your contact details, can be used to help with marketing campaigns, and if you’re a business, provide important required information about your company registration. Here’s some guidance on adding signatures in Outlook.

Read More »
Outlook

How To Find The Conflicts Folder in Outlook

Hubert 5 April 2024

In Outlook, the Conflicts folder is like a record of problems when your emails don’t sync well with the mail server. If there’s trouble syncing, you might end up with extra copies of the same email. These issues get listed in the Sync Issues folder. You wouldn’t often need to look in this folder, but over time it can get quite big, so you might occasionally need to see it to empty some space.

Read More »
wifi

How To Get Best Experience From Your Wireless Access Point

Ash 5 April 2024

We all know that Wi-Fi can be much more convenient for your office setup than connecting everything via cable, and as Wi-Fi speeds and connectivity get better, more offices are switching to wireless. However, many people have concerns that wireless is less reliable than cabled, and they worry that they will struggle with weak signals or frequent disconnections. This blog will provide you with all the knowledge you need to get the best wireless experience and keep you at your desk rather than under it, fiddling with cables.

Read More »
Scroll to Top