How to manage your startup's passwords

Posted

Building a business today has become easier thanks to hundreds of amazing SaaS tools. Whether it's for team communication, A/B testing, prototyping, or analytics; your team will adopt dozens of apps. An unfortunate side effect of using so many apps is that you inevitably end up with lots of passwords. Managing these effectively is something you should solve early.

Here are some tips for making your team happier and more secure.

Prefer services with individual accounts

Whenever possible, you should give each member of your team their own login on an application. For some apps, like Google Apps or Slack, this is the default model. You should avoid using a single account on apps even if it seems easier. For example, while it's expedient to share access to a single Mailchimp account, you should take advantage of their multi-user account support. The same goes for AWS, which provides extensive account sharing policies through their Identity and Access Management (IAM) service. This can involve additional work to set up, but the up-front effort is worth it, especially for such a critical system. AWS provides a guide on their blog. If some of these feel too complicated to configure, Meldium provides a simplified wizard to generate individual accounts for services like AWS.

That said, apps with a single login are numerous and inevitable. After all, you can't live without a company Twitter account! Here's how you should manage these.

Create an email alias owner for shared accounts

Setup an email alias (e.g. shared-accounts@mystartup.com) and use that email to sign up for services that do not provide team accounts such as Twitter or Digital Ocean. This approach calls out shared accounts versus individual accounts and prevents orphaning the account when someone leaves your team. In addition, in the event that a password is lost, the appropriate team members have the ability to reset the password (since admins can get to the shared inbox).

You can opt to make this alias a real user account on something like Google Apps, and not just a mailing list, for two reasons: you can use it to sign in for systems that support log in with Google Apps, and you may need to be able to send emails from this address, if you need to communicate with customer support for a service.

An additional advantage of this approach is that SaaS products tend to email monthly payment receipts to the owner email account and you will surely need to find them at some point!

Store and encrypt shared passwords in one place

When you do have to share passwords, you should do so in a uniform way. Adopt and communicate a simple password sharing policy across the team – any shared secrets need to be shared in the same way. This way you always know where all the keys are as your team grows. Avoid sharing via untraceable, point-to-point means like email, IMs, or sticky notes; always share visibly.

The most basic way to share passwords among a team is a spreadsheet on Google Docs or Dropbox. You can invite everyone who needs access to that document and you can break it down into sub-documents over time (e.g. engineering, sales, HR). However, these spreadsheets are not encrypted, do not provide good access control and cannot be audited, which can lead to very bad things.

The right approach is to use a dedicated password management system. You can opt for a free, open-source tool like PasswordSafe that you must sync yourself (and share the encryption key with your team) or use a cloud-based service like Meldium. One of the key benefits of using Meldium is that your team can sign in to apps without you sharing the password, which makes it both smoother and safer.

Whatever solution you use, make sure you have backups! Google Docs and Dropbox automatically keep track of old versions (Meldium lets you export to a CSV file). You don't want to risk one individual accidentally wiping out the password database, so make sure you have old versions around. And don't forget to record non-password secrets (e.g. answers to secret questions) in your system.

Use a different strong password for each service

It's 2015 so this feels obvious but it's tremendously difficult to maintain this hygiene without tools. It's easy to avoid using "12345" or "password" but creating unique, secure passwords by hand is hard so use a password generator. When you initially sign up for the service, generate a new password that is used only for that service. Password management tools can do this for you or you can use an offline password generator like apg.

Share and communicate eagerly

When you sign up for a system that only allows one account per company or team, put those credentials into the shared vault immediately. Often there will be one primary user of a system or service, and account sharing is infrequent. If that system is critical to your business, you're running the risk that the primary user won't be around when they are most needed. Any number of engineering teams can tell you about the time they needed access to the master DNS account at 3AM, and the person who set it up was nowhere to be found.

Above all, over-communicate with your team about which shared systems you use to do your job and how to access them. If you have a team chat room or mailing list, use it to ping the appropriate people when you add or change a shared credential. Putting a policy in place for secure and simple sharing takes very little work up front and will pay dividends as your business grows.

Summary: how to sign-up for a SaaS app

  1. When signing up for a service, check whether it already supports teams. If so, give each person on your team a separate account.
  2. If the app has a single login, make the owner email a consistent email alias (e.g. accounts@mystartup.com).
  3. After signing up, give your your team access (and ensure you're not the unique administrator in case of emergencies). If the app only supports a single admin or a single account, add the app to a tool like Meldium and share access with your colleagues.
  4. If possible, send invoices from the app to a consistent email alias (e.g. invoices@mystartup.com).
  5. Prosper.

Tips for Managing Twitter Access with Meldium

Posted

With 300 million active monthly users, the opporutnity on Twitter for businesses is undeniable. Many companies large and small use it to engage with customers, share news, track their brand and build loyalty.

Typically businesses have a master Twitter handle that acts as the voice of their organization. This opens up great opportunity to engage with customers as prospects - as long as a number of stakeholders are granted access. How could Arby’s have scored so big during the 2014 Grammys if only one person had access? Although Twitter can positively impact customer engagement, the proliferation of social media accounts presents a a clear security threat, as we have seen covered over the past weeks and months in the news. Given all this, it is important to have a system in place to strengthen your brand, and keep your business secure. Here's a handful of tips for managing your @company handle.

Rev1.png

Setup a shared alias (e.g. shared-accounts@ourcompany.com) as the master email for the Twitter account. Having a shared alias in place, rather than attaching an account to one person's inbox prevents orphaning the account when someone leaves from your organization. In addition, In the event that a password is lost, the appropriate team members have the ability to retrieve a reset password (since admins can get to the shared inbox).

never.png

Choose a point-person in your company (marketing director, social media coordinator, etc) to determine your Twitter handle and create a unique, complex password for the account. If the password is easy to recall, it will be even easier for a hacker to exploit. It's easy to avoid using "12345" or "password" but creating a truly secure password by hand is hard. The password should be impossible for even its creator to remember it, which means you should use a password vault like Meldium to store it.

Tools such as HootSuite, TweetDeck, Buffer, and Sprinklr are great for delegating access to a Twitter account across your team. Ultimately, you will need to share direct access to Twitter's site. Sending passwords via e-mail or via spreadsheets will leave your company more susceptible to cyber attacks (the recent Sony hacks enabled attackers to access scores of Twitter accounts because their passwords were stored in readily available unencrypted spreadsheets). A good password manager can help you do this right. Meldium even ensures that passwords are never shared over the wire! You can either share with your entire team or with specific individuals who will be contributors to your Twitter account.

twitter3.png

Just as it's easy to share access, you want to make sure you can revoke that access instantly. Many disgruntled employees have done damage to brands via Twitter in tense situations. With Meldium, you can revoke any access a member of your organization has when they leave with one click (whether it's Twitter or any other critical account they have).

In the special event that the master account holder leaves the company, Meldium can help navigate that obstacle as well. An admin can reassign the master credentials to another team member who would take on the role of account owner.

Changing your passwords frequently, at least every few months, is important for all your apps and services, especially those with shared privileges. When multiple people share a password (bad!), it's a pain to change it and notify everyone so we often don't bother to do it (worse!). Meldium can do the work for you – without your team missing a single tweet. First, since no one knows the password, they always access the account via a central broker that is always up-to-date. Second, with Automatic Password Update, Meldium will create a strong, unique password and change it directly in Twitter. Your team members won't even know the password has changed!

     

 

 

 

Once a brand is on social media customers can expect a lot. It's essential to not only focus on mentions and conversations, but to quickly zero in on support issues. If you're looking to step up your customer service game, consider creating a dedicated customer service handle that is separate from your company or brand handle. Even Twitter employs this strategy with @Twitter vs. @Support.

When engaging with customers avoid sending automatic responses. Be sure to respond in a timely manner and with a personal touch whenever possible.

By following these few tips, your keep can maximize the reach of twitter and keep your account secure. Happy Tweeting!

Introducing Meldium for Safari

Posted

What’s new?

Automatic login support for Safari is here! Today, we are happy to deliver our Beta release of the #1 requested feature from users over the past year. With this launch, Meldium now provides automatic login from every major browser. We have extensions for Chrome, Firefox, Opera, Internet Explorer, and Safari.

What is automatic login? 

The automatic login browser extensions allow you to access all of the apps that appear on your launchpad without entering any usernames or passwords. When you share access with your team, they can sign in to apps without knowing the passwords and the plugin won't intrude on any other aspect of your web browsing experience.

How do I get it?

Head to your Meldium.com homepage and launch an app. You will be automatically prompted to install the plugin if you do not yet have it. Once the plugin is installed, a Meldium icon will appear in your browser's menu bar. Click on it to see all of your launchable apps! Select any app, and a new tab will open to the app's homepage, where you'll be signed in and ready to work.

Screenshot 2015-02-03 11.34.11 (2).png

Beta Note

The plugin currently works with the latest version of Safari on MAC OS X Yosemite (10.10). please e-mail us if you have feedback (bug reports welcome!).

Don't yet have a Meldium account?

You can sign up for Meldium today with Google or create a new Meldium ID.