The Bitwarden Blog
Password sharing best practices for teams
Passwords are essential for businesses and individuals to function in the modern era. And given how many bad actors there are, those passwords best be secure and saved in an encrypted vault. As an individual, that's pretty easy to manage. For teams, however, things require a bit more coordination. When you have to share passwords among departments or teams, every user involved must follow best practices to ensure those credentials don't wind up in the wrong hands.
If that sounds like something you need, read on to learn important best password sharing practices for your team.
Let's dive in, shall we?
Some businesses have yet to adopt a password manager for sharing among teams. I've been involved with companies that still keep a spreadsheet containing app/service/account credentials on a shared drive.
That is a disaster waiting to happen.
Instead, any time a password must be shared with a team it should be done via a password manager. All business-grade password managers will contain features that allow you to easily and securely share passwords with your teams. Password managers like Bitwarden not only make it easy to share passwords with a team, they make it even more useful by adding shared folders into the mix and even offer granular access controls for users.
Only share passwords that your teams need to use. It might be tempting to dump every password your business uses into a shared vault, but that's not only inefficient, it's inappropriate to establish least privileged access to all of your accounts. This is especially true if you have passwords that are management-level only.
You may be tempted to dump all your passwords into a single area, but that would be inadvisable. Instead, separate those teams into Collections and make sure to isolate the passwords on a per-Collection basis. For example, you might have teams for DEV, MANAGEMENT, OPS, and STAFF. Create Collections for each and only add the passwords each group needs to those Collections.
No matter how challenging the password, if someone leaves your company or team, it's time to change the passwords that were shared with them. Never leave this up to chance. Even if those passwords are incredibly challenging, you never know if that person wrote them down or took a screenshot and sent the image to themselves.
As soon as a team member leaves the company, it is a best practice to change every password they had contact with.
Ensure that your team follows your policy to only create passwords with a random password generator. Not only does using this feature guarantee strong and unique passwords will be used for every account, it'll save a bit of time when the team members aren't tasked with coming up with complicated passwords.
When you allow team members to use their own logins for your Organization vaults, make certain you have a policy in place that those master passwords be challenging. This improves the overall security profile for the company.
Finally, require 2 Step Verification for your password manager as well as every account that offers 2FA. This is especially important if your teams will be accessing the password manager outside of your company network. You never know if a team member is working on a less-than-secure wireless network or on a computer that non-team members can access. Although 2FA isn't a perfect defense, it is an extra layer that deters many a hacker from gaining access to an account.
This shortlist of best practices might not fit every situation but they are fairly universal. If your company is already sharing passwords among teams, see if you can work these best practices into the mix. If you're about to start password sharing among teams and/or departments, make sure to use these tips as the basis for creating a set of best practices at your company that can help keep your passwords from prying eyes.
Interested in trying out Bitwarden? Quickly sign up for a free Bitwarden account, or start a 7-day free trial of our business plans to help your team and company colleagues stay secure online.
On this page
Back to Blog