How to Share Passwords

Image for How to Share Passwords

Sharing of passwords is generally not advised. Yet, there are a few cases that you have no other way. In this article, we will explore when to share a password and how to do it safely and securely.

There are two primary use cases for sharing passwords, long-term and ad-hoc sharing. The “Long-term sharing” is about the cases where you need to share an account with a colleague or a friend. While the “ad-hoc sharing” is for cases where you need to hand-out or restore an account.

Long-Term Password Sharing

Long-term password sharing usually happens between colleagues or personal friends. Thus, A “strong relationship” is in place. This means that installing software to help password sharing, shouldn’t be an issue.

For sharing passwords long-term, the most secure way is through a password manager. A Password manager will ensure safe and secure password sharing. The whole process between the two parties is end-to-end encrypted. Furthermore, password managers provide detailed access controls. That enables you to control how long the password is shared and who can edit it.

Using a password manager comes with more benefits to your password security. One of them is that you no longer have to remember any passwords. Which means you can make them as long and as complicated you want. Raising your safety and security.

A serious consideration for password sharing schemes at your company should be the “off-boarding”. The process where an employee has to leave the company. Shared passwords are a particularly problematic issue in this case. You will have to change every shared password that the departing employee had access to.

Some Password managers that are popular at the time of writing are 1password, Dashlane and LastPass, but there are many more that can fit any size and need.

Ad-hoc Password Sharing

Onboarding employees and account restoring is when you would share passwords ad-hoc. Your priority should be to use a “password reset link”. Or using services that allow the users’ to set their own password. For the cases where that is not possible, read on.

For ad-hoc password sharing, we cannot assume that any kind of relationship exists. Usually, we share passwords with third-parties. Parties that are outside our organization, or employees that are getting onboarded. This means that we can’t have the expectation that they have access to any secure service we use.

For ad-hoc password sharing with third-parties, the best solution is a “Secret Sharing Service” like SROP. SROP password sharing works in three easy steps:

  1. You create your sensitive note (password) and get a secret URL.
  2. You share your secret URL with the intended recipient.
  3. The intended recipient goes to the URL and opens the secret note. Opening the note for the first time will also delete it, by design.

Opening a sensitive note will produce a notification that you will receive. That way, you can be sure about the delivery of the password. You may also add a password on the secure note. Which you would share with the recipient using a different channel of communication.

What Happens on Interception of the Secret URL?

A bad-actor intercepting the secret URL is a highly unlikely case but can happen. The ad-hoc sharing mechanism helps you stay on top of the breach:

  • Opening a sensitive note will produce a notification for you. The notification includes the browser type, country, and other information about the recipient. This will help you determine if the note was opened by the intended recipient.
  • In case of a breach, the legal recipient will not be able to open the sensitive note. When a note (or shared password) is opened, it is also automatically deleted, by design. So when the legal recipient tries to open the breached note, they will not be able to. At that point, the legal-recipient will notify you and you can take further action on time.
  • When creating a sensitive note, you have the option to protect it with a password. This way, the legal recipient now needs to have both the “secret URL” and the “password” to open the note. Interception of the secret URL is no longer a thread. So, if the password or note you are sharing is of higher sensitivity, password protect your note.

Conclusions

Password sharing is discouraged. But, reality happens. It is advised that you have a solid process on how to share passwords. You wouldn’t want to leave these kinds of decisions to the judgment of your employees.

SROP can help you with the sharing of passwords and sensitive notes, that’s why we built it. Let us know your thoughts and questions.