It’s easy to poke fun at companies that treat sensitive information recklessly, sending or receiving plaintext passwords via unencrypted email or chat, or storing customer information in ways that are far from secure. But it can be a logistical nightmare to let multiple remote employees log into a shared account in a secure fashion.
Luckily, there are a few options to make this a little easier. Here’s a quick run-through of some of the best options.
Like most password managers, LastPass lets users to log in with just one master password; the tool stores all of their other passwords. Among other things, this makes it easy to create long and complex passwords and to use different passwords for each login account.
In addition, LastPass’ enterprise accounts will let you share login data between individuals and across teams, with customizable permissions. That means that you can choose who has access to which folders, and make changes that are synced automatically. Enterprise accounts cost anywhere from $18 to $24 a year per user, depending on the number of users.
It’s also possible for a Premium account holder to share password information in a single file with up to five other LastPass users, which could be useful for tiny startups, partnerships, or people needing to share passwords with friends or family members. Premium accounts cost $12 a year, and only the main account holder needs to have one.
Because LastPass is cloud-based, it makes things easier for people logging into multiple computers, but has some drawbacks as well. For instance, you’ll be uploading your passwords—though not your master password—to the cloud, though in encrypted form.
In addition, “[a] third party service [like LastPass] will be able to see which sites you have an account on … not the password itself, but when you’re accessing each password,” says privacy and security researcher Runa Sandvik, technical advisor for Freedom of the Press Foundation.
“Keepass and Keepass X may not be as pretty as all the other tools, but it is open source, it is free, and it works,” Sandvik says. This password manager is one you have on your computer, so no third party knows when you access different sites. However, you do need to make sure you’re backing up the database frequently. (Let’s just say that losing your database of passwords would be … bad.)
To share passwords with others, you need to create a database, enter the password, send the database to another person, and somehow securely send them the password to open the database. We’ll discuss that a little later.
OneLogin is another cloud-based option. OneLogin allows users to log into multiple cloud services using a single sign-on account. It can integrate with a company’s “active directory” of user accounts and permissions.
Another benefit is that OneLogin can integrate with a large variety of enterprise applications. Plans range from $2 to $8 a month; there’s a free version as well.
1Password is a personal privacy manager tool that allows users to create several password vaults, and share a single password vault with a group of people who also have 1Password installed. However, you do need to use Dropbox to synchronize the data.
“That is a sharing solution is suitable for a family and a small team, but it’s not an enterprise solution or one for a big company,” says security adviser Per Thorseim, founder of the Passwords hacker conference. Licenses cost $49+.
SplashID Safe for Teams
SplashID is an enterprise product that allows large teams or companies to share passwords and other information with larger groups of people, such as entire departments or large companies. The IT team can create users and groups and permissions, so only people who need access to passwords can see them, or to review logs of records and usage.
Dashlane for Teams is yet another privacy tool that works on the company level. It syncs passwords within a team, which is helpful any time someone needs to change a password, as the change will get pushed out to all team members and their devices.
Dashlane also sends security alerts to users’ devices when an account may have been compromised. A security dashboard provides tips for making an account even more secure.
Licenses cost $39.99 a year for each user. There’s also a freemium version with very limited features.
Strip is another enterprise solution that has team password sharing. It allows synchronization over Dropbox, Google Drive, and local Wi-Fi, and creates local backups of data.
Don’t Forget Two-Factor Authentication
LastPass, 1Password, and Onelogin support two-factor authentication, which adds an extra step to checking a user’s identity when they log into a website. For instance, logging into the service require not just a password, but an authorization code that’s texted to a user’s phone.
Two-factor authentication is challenging to use with tools like Twitter if you have a distributed team, since a single phone number must be used, but there are often other options. Google, for example, allows users to generate backup codes, which can be shared with remote users who don’t have access to the mobile device to which the SMS code.
How To Safely Share Just One Password
Suppose you need to send someone just one password, and would rather not deal with the hassle of setting up shared-passworld tools. Or, similarly, say you sent someone a KeePass database, but then also need to send them a password so they can open it.
“The challenge is that even if you were to store a shared password, you’d still need a password to get into the database in the first place,” Sandvik explains. So what’s the easiest way to safely share that single password?
Options might include sending encrypted emails, which require a bit of technical know-how, or using encrypted phone or messaging apps. Open Whisper Systems’ RedPhone (Android) and Signal (iOS) apps are particularly user-friendly.
SnapPass is open-source software used at Pinterest that allows people to send a URL to someone that links to a password. It may require a bit of tinkering to set it up; it stores passwords in a Redis database on the user’s own computer system.
“The URL leads to the password,” says web operations consultant Dave Dash, a former internal tools engineer at Pinterest who built SnapPass. He continued:
You can only click on it once and it expires after a few days. If I need to set up an account on any system for someone, I could send them the URL, and then they’d have the password and could then change it for added security.
Dash recommends that anyone setting this up make sure that the application and database aren’t publicly accessible. It’s also wise to limit the number of people who have access to the running application and its associated database.
Of course, there are non-technical solutions as well. You could, for instance, send a password through a different channel than the one used for login information—you could send one through email and another via chat, for instance.
This is the same concept that banks use when they send a debit card in one envelope and a temporary code in a separate one, and mail them out on different days, although of course it’s not foolproof. “That’s an option, but it assumes that NSA isn’t the entity you’re worried about,” Sandvik points out.
If nothing else, just promise us you won’t store all of your passwords in plaintext in a directory called “passwords.”
Photo by Tit Bonač