I would like to come back to the topic of passwords, this time in a professional environment. Over the years I have worked for very different companies. Every time the topic password and password sharing were a more or less big problem. Usually, a process was established that worked reasonably well, but almost always I could still access some services for a long time after leaving the company. Unfortunately, the topic is not easy to solve, but there are a few things you can keep in mind, especially with technology startups.
First, let us take a look at how things usually work in a young startup. In the beginning, the developers usually quickly set up a whole series of services, most of which run on their official email address. Sometimes the management even creates the central services itself, but also (and especially) here possibly even with private email addresses as accounts. Over time, more and more services are added, some are no longer used, others have become extremely important for the company.
This is particularly interesting when an employee leaves the company. On the one hand, it can then suddenly become difficult to access these services, because nobody knows which email address they are running to. On the other hand, there is of course always the danger that an unhappy employee will simply do nonsense later on. This cannot even be proven to him in case of doubt since many in the company also use this account.
What measures make password management easier?
As I said, it is not easy to prevent all this. But you can do a lot to keep track of and protect unauthorized access.
Log all accounts
This sounds trivial but is rarely done consistently. Every startup should have a central document where all external services are listed, how to access them, who has access to them and where to find the password. In case of doubt, you can always quickly check if there are problems with a service.
Using Single Sign-On accounts
Of course, this only works if everyone in the company uses a provider that offers such accounts. The most common example is certainly the Google account. If GMail is used as an email provider, it should be checked if other services can be used with it (e.g. Slack). If an employee then leaves, deactivating his company Google account is sufficient to block other services for him as well.
Interesting side effect: If you set up an administration area yourself, you can of course also connect it to OAuth and GMail. So, the employees have to remember fewer passwords and you can even set up the rights assignment on it.
Use individual accounts
Unfortunately, many service providers do not support SSO. But at least they provide the opportunity to create teams so that everyone gets a personal account. If in doubt, this can then be quickly deactivated without affecting the others. Many cloud services offer this for example (AWS, Heroku, Docker, …). Depending on the service, you can then set the rights again granularly for each individual user.
A dedicated email address for accounts
However, many smaller services only provide easy access. If this is the only way, you should set up a mailing list that you can use for this. This way you can at least ensure that several people receive notifications. Moreover, you can reset your password in case of doubt.
For easy access, it is usually necessary to store the passwords somewhere and make them available to others. It is obvious that this should not necessarily be done on a freely accessible wiki page.
There are now a number of tools that start here. KeePass is certainly a very simple solution that can be established quickly. But if you want to have different user groups that are only allowed to see certain passwords, Vaultier would be worth considering. Of course, it is important that there is a person in charge who maintains the tool regularly. Therefore, no one has to or can pass on the passwords by Slack or email.
If one of the loyal employees really leaves the company, there should be a process to deactivate which accounts and how and where passwords might have to be changed. If the employees introduce a new service, they also have to update the process or inform the responsible person to do so. Changing passwords is the most time-consuming part of this process. However, this is unavoidable if you want to make sure that the former employee really has no more possibility to access company accounts.
Bonus level: Deactivate services completely
The older and bigger the company is, the more services have accumulated in the meantime. Many of them are not necessarily free of charge, but the prices are rather negligible. Nevertheless, 20, 30 Dollars a month is a lot of money if you do not use the service. Therefore, one should evaluate the list with the services regularly. Doing that it will save you money and at the same time to purify the offboarding of course.
It needs the ultimate password tool
Of course, the optimum would be a tool that automatically takes over the above-mentioned tasks. This would have integrated the most common services and the password administration would be done automatically. Included would be changing of passwords, although the user should not see them. Additionally, an assignment to teams would also be part of it. Unfortunately, I have not found such a service yet, but one should not give up hope.