How to manage your startup's passwords

Posted

Building a business today has become easier thanks to hundreds of amazing SaaS tools. Whether it's for team communication, A/B testing, prototyping, or analytics; your team will adopt dozens of apps. An unfortunate side effect of using so many apps is that you inevitably end up with lots of passwords. Managing these effectively is something you should solve early.

Here are some tips for making your team happier and more secure.

Prefer services with individual accounts

Whenever possible, you should give each member of your team their own login on an application. For some apps, like Google Apps or Slack, this is the default model. You should avoid using a single account on apps even if it seems easier. For example, while it's expedient to share access to a single Mailchimp account, you should take advantage of their multi-user account support. The same goes for AWS, which provides extensive account sharing policies through their Identity and Access Management (IAM) service. This can involve additional work to set up, but the up-front effort is worth it, especially for such a critical system. AWS provides a guide on their blog. If some of these feel too complicated to configure, Meldium provides a simplified wizard to generate individual accounts for services like AWS.

That said, apps with a single login are numerous and inevitable. After all, you can't live without a company Twitter account! Here's how you should manage these.

Create an email alias owner for shared accounts

Setup an email alias (e.g. shared-accounts@mystartup.com) and use that email to sign up for services that do not provide team accounts such as Twitter or Digital Ocean. This approach calls out shared accounts versus individual accounts and prevents orphaning the account when someone leaves your team. In addition, in the event that a password is lost, the appropriate team members have the ability to reset the password (since admins can get to the shared inbox).

You can opt to make this alias a real user account on something like Google Apps, and not just a mailing list, for two reasons: you can use it to sign in for systems that support log in with Google Apps, and you may need to be able to send emails from this address, if you need to communicate with customer support for a service.

An additional advantage of this approach is that SaaS products tend to email monthly payment receipts to the owner email account and you will surely need to find them at some point!

Store and encrypt shared passwords in one place

When you do have to share passwords, you should do so in a uniform way. Adopt and communicate a simple password sharing policy across the team – any shared secrets need to be shared in the same way. This way you always know where all the keys are as your team grows. Avoid sharing via untraceable, point-to-point means like email, IMs, or sticky notes; always share visibly.

The most basic way to share passwords among a team is a spreadsheet on Google Docs or Dropbox. You can invite everyone who needs access to that document and you can break it down into sub-documents over time (e.g. engineering, sales, HR). However, these spreadsheets are not encrypted, do not provide good access control and cannot be audited, which can lead to very bad things.

The right approach is to use a dedicated password management system. You can opt for a free, open-source tool like PasswordSafe that you must sync yourself (and share the encryption key with your team) or use a cloud-based service like Meldium. One of the key benefits of using Meldium is that your team can sign in to apps without you sharing the password, which makes it both smoother and safer.

Whatever solution you use, make sure you have backups! Google Docs and Dropbox automatically keep track of old versions (Meldium lets you export to a CSV file). You don't want to risk one individual accidentally wiping out the password database, so make sure you have old versions around. And don't forget to record non-password secrets (e.g. answers to secret questions) in your system.

Use a different strong password for each service

It's 2015 so this feels obvious but it's tremendously difficult to maintain this hygiene without tools. It's easy to avoid using "12345" or "password" but creating unique, secure passwords by hand is hard so use a password generator. When you initially sign up for the service, generate a new password that is used only for that service. Password management tools can do this for you or you can use an offline password generator like apg.

Share and communicate eagerly

When you sign up for a system that only allows one account per company or team, put those credentials into the shared vault immediately. Often there will be one primary user of a system or service, and account sharing is infrequent. If that system is critical to your business, you're running the risk that the primary user won't be around when they are most needed. Any number of engineering teams can tell you about the time they needed access to the master DNS account at 3AM, and the person who set it up was nowhere to be found.

Above all, over-communicate with your team about which shared systems you use to do your job and how to access them. If you have a team chat room or mailing list, use it to ping the appropriate people when you add or change a shared credential. Putting a policy in place for secure and simple sharing takes very little work up front and will pay dividends as your business grows.

Summary: how to sign-up for a SaaS app

  1. When signing up for a service, check whether it already supports teams. If so, give each person on your team a separate account.
  2. If the app has a single login, make the owner email a consistent email alias (e.g. accounts@mystartup.com).
  3. After signing up, give your your team access (and ensure you're not the unique administrator in case of emergencies). If the app only supports a single admin or a single account, add the app to a tool like Meldium and share access with your colleagues.
  4. If possible, send invoices from the app to a consistent email alias (e.g. invoices@mystartup.com).
  5. Prosper.