How to manage a accounts/passwords with no clear owner
September 15, 2017 4:16 AM

I work in a medium sized business (let's say around 100 people). This business has a set of random accounts ranging from their Instagram profile to paid online subscriptions that have no clear owner for them and it causes problems. If people leave or on holiday, there's a panic about how to access the account. Passwords are stored on random emails on random people's inboxes. I have volunteered to take ownership of this issue although this does not mean I should be the owner of these accounts either (but I could be if I deem it to be the best approach). How do we approach this in a flexible, secure way? Details and caveats inside:

Accounts that are affected
- Social media profiles: Facebook, Twitter, Instagram, Vimeo.
- Related to our website (specifically logins for Google Analytics, Wordpress)
- Paid subscriptions for publications

Challenges:
- We don't have a 'Social Media' Team or a Marketing function so to speak, so it's not like someone on that team can own those profiles. They are also updated sporadically by random people at random times, but not important enough for this to become A Thing with Processes (an approach which failed miserably in the past as in we created a process and then no one followed it).
- Lots of people need to be able to access the subscriptions
- Different people need access to the website functions, some of them overlap
- We don't have a dedicated IT team
- When people leave, this is not really a priority as part of the leaving process as these accounts are used sporadically, so you have a situation where people need access to an account and then calling someone who left 3 months ago to ask if they know what the account details are.
- And that's if they even know that's the right person to ask (for one account, we don't even know whose email address is associated with it and we're still locked out).

Anyone deal with a similar situation? I am open for any ideas including (foolproof) process changes to technical tools to address this issue.

(The last time a similar question was asked it was 2013, everyone suggested LastPass Enterprise except for the last commenter who said it was horrible so I'm asking again thank you AskMe for your indulgence)
posted by like_neon to Technology (13 answers total) 4 users marked this as a favorite
We do this with a Google Doc. Like literally a doc with all of the accounts. So it's like:

INSTAGRAM
Login Name: Foo
Password: BAR

GOOGLE ANALYTICS
Login Name: Foo@gmail.com
Password: BAR!
Password Recovery: Mobile # (Joe Bloggs)

Who has access to this doc is a different decision. Giving everyone in the organisation access is a bad idea. Better idea: three or four people have access to it. When Eileen from accounts needs to access Instagram, she can email whomever on the list is around to get the logins.

Issues:

Eileen logs into Instagram, and then changes the password and doesn't tell anyone because she's an idiot. As long as you record what email or mobile number is associated with the account, though, you can overcome that and update the doc.

Eileen gets fired. You then need to change the passwords on ALL of the accounts to which she has had access. How do you know which accounts? We do it with a Gravity form where the person puts in theor company email address and chooses which account they want access to, and that's how the request is made. We can then pull all requests from eileen@companyname. That's also where she gets her reply with the password she wanted. That is the ONLY way to get passwords.

Alternatively, you can log requests on the Google doc itself.

Note: This is obviously not super secure but we do not use this for things like banking, Stripe, etc.
posted by DarlingBri at 4:36 AM on September 15, 2017


At my last workplace, we had a similar situation.

- We kept social media account info in a Google Doc that everyone who needed to could access, exactly as DarlingBri describes.

- Separately, I kept an Excel spreadsheet on a server with info for subscriptions that only I needed to access, so that when I left, my successor could take charge of them.

Neither of these approaches were strictly secure, but they worked for us. The important thing was that when someone left the company, their email address was made accessible to others so that account ownership could be transferred to new email addresses.
posted by ejs at 4:43 AM on September 15, 2017


In addition to whatever else you do, create a single generic email box, "accounts@yourcompany.com" and change the address on as many accounts as possible to that. Use it to sign up new accounts. As with your password solution, you don't have to give everyone in your company access to that email or have it send to everyone, but make sure a handful of people can get at it. Then it's never a question of whose email owns an account, the answer is always accounts@yourcompany.com.
posted by jacquilynne at 4:47 AM on September 15, 2017


We have a similar 'codes and passwords' doc that have everything, and we password protect it. So it's a bit more secure and everyone only needs to remember one single password.
posted by churlishmeg at 5:00 AM on September 15, 2017


I use DashLane for personal logins and highly recommend it. It's got an advantage over a Google Doc in that, if someone needs to change the password on the fly due to a login error, it will save the changed password as long as they click "yes" when prompted. There's one master DashLane login, so if everyone knew that, they could access everything just by logging in. I think you'd need a premium account to sync passwords across all machines.
posted by Miko at 5:21 AM on September 15, 2017


We literally just dealt with this at my office. We already require everyone to use a password manager, so it was a simple matter of adding these passwords to the manager and I believe our IT folks created groups to permission people to those accounts.
posted by JPD at 5:30 AM on September 15, 2017


One password for teams solves this problem, and a number of others, and it makes it easy for people in your organization to create strong passwords without having to keep track of them.

With this software you create a vault that contains the shared passwords, and everybody that needs access to those passwords has access to the vault. They don't even need to know what the password is.

https://1password.com/teams/
posted by askmehow at 5:39 AM on September 15, 2017


"accounts@yourcompany.com"

I would make it "social@yourcompany.com" or "externalPR@yourcompany.com" or something ... accounts may already be in use, or may be wanted in the future, for dealing with vendor or customer accounts. (You'll also probably get some random misdirected mail from people trying to contact you who guess "accounts@" as the e-mail.)
posted by Eyebrows McGee at 6:38 AM on September 15, 2017


I’ve used shared LastPass vaults for stuff like this. Also, some of the things you listed don’t require sharing passwords. For example, google analytics allows you to grant access to as many accounts as you want. So in that case, you should be having people use their own accounts to access it rather than sharing a single one.
posted by primethyme at 7:01 AM on September 15, 2017


There should be a designated owner of any resource, and an alternate. Chris does facebook, Terry steps in when Chris is on vaca. By policy, any account in the company's name should be considered an asset, and the password must be kept in the password file, which gets backed up regularly. The account info should reference the company and be linked to a company email address. Eyebrows has it - the email should be Blah@Company.com, and Chris and Terry have rights to that account. The company may not want to formalize this, but they should; the possible mess is a real thing.

It sounds like the company has minimal concern about computer security. This can lead to a great deal of pain, and I would recommend they step up their policies and procedures on data and passwords. If password security is casual & IT is unmanaged, the likelihood of a malware or ransomware attack is pretty high. Stepping up to improve it could be smart for your career and company.
posted by theora55 at 9:23 AM on September 15, 2017


Yep, get a password manager. My previous office used LastPass and it was fine. I imagine 1password or other password managers with a "teams" or "enterprise" option would be good as well. You can set up different groups of passwords available to different people, auto-fill username/password fields in browsers, and easily onboard and offboard people. Plus use "secure memos" for miscellaneous secret information like door codes.
posted by Alioth at 12:06 PM on September 15, 2017


Any of the password managers for enterprise (lastpass, dashlane, 1password, keepass, etc are all different versions of a similar concept, with somewhat different functionality - here is one roundup) can handle this well and will add reliability and security to your process. Using a manager, you can give and revoke access to logins as needed, you can ensure that passwords are changed securely on a regular basis, and you will definitely know where all things are at all times so passwords are not lost or forgotten.

Google docs or common email accounts or whatever are...better than your current setup, but they pale in security to an actual password manager and gathering everything in the same place could create a new vulnerability especially since you don't seem to have a culture of strong policies and management in place around security for those assets.
posted by mosst at 12:46 PM on September 15, 2017


I also think any of the popular password managers are fine. We pay $4/mo/user for LastPass Enterprise and it is definitely mediocre, but it works.
posted by michaelh at 1:10 PM on September 15, 2017


« Older What would you like to know about being a vendor...   |   Work wardrobe, roof style. Newer »
This thread is closed to new comments.