The Bitwarden Blog

Secure password sharing for teams

authored by:Bitwarden
posted :
  1. Blog
  2. Secure password sharing for teams

Passwords are essential for businesses and individuals to function in the modern era. Protecting confidential information and preventing a data breach are critical reasons to ensure passwords are managed securely. Given the number of bad actors out there, passwords must be secure and saved in an encrypted vault.

As an individual, that’s pretty easy to manage. For teams, however, things require a bit more coordination. When users need to share passwords among departments or teams, every person involved must follow best practices to ensure those credentials don’t fall into the wrong hands.

For secure password sharing and management, it is highly recommended to use the best password managers, which offer robust encryption and features for safely storing passwords, credit cards, and other sensitive information. Business-focused password managers also offer centralized control, management, and oversight of sharing, vault health, and more. Read on to learn about important best practices for sharing passwords with teams.

Foster secure password sharing with a password manager

Using a password manager should be an obvious best practice. However, some businesses have yet to adopt a password manager for sharing among teams. Companies have been known to keep a spreadsheet containing app/service/account credentials on a shared drive.

That is a risky decision.

Instead, whenever a password needs to be shared with a team, it should be done via a password manager. All business-grade password managers should contain features that allow users to easily and securely share passwords among teams. Password managers like Bitwarden not only make it easy to share passwords with a team, but they also offer helpful features such as shared folders, granular access controls, and single sign-on.

Only share passwords that are absolutely necessary

Users should only share passwords that are necessary for their team to use. It might be tempting to store every password a business uses in a shared vault, but that’s not only inefficient; it also fails to enforce least privilege access. Password managers can restrict access and limit the sharing of secrets, ensuring that only employees who require specific credentials can access them. This is especially true if users have passwords that are management-level only.

Only create shared passwords within Collections

Organizations may take a less secure path of simply storing all their team passwords or other sensitive information in a single location, but that would be inadvisable. Instead, they should separate those teams into Collections and make sure to isolate the passwords on a per-Collection basis. This approach helps restrict access to secrets by ensuring only authorized team members can view or manage sensitive information within each Collection. For example, organizations might have teams for DEV, MANAGEMENT, OPS, and STAFF. Create Collections for each group and add only the passwords each group needs to the corresponding Collections.

Reset shared passwords when someone leaves the company

While this one should be fairly obvious, it can fall by the wayside during transition periods.

No matter how challenging the password, if someone leaves the company, it’s time to rotate all the shared passwords. It is crucial to immediately revoke employee access to confidential information and secrets to prevent unauthorized access and maintain security. Never leave this up to chance. Even if those passwords are incredibly challenging, organizations never know if the person who is no longer a member of the team or company wrote those passwords down or took a screenshot and sent the image to themselves, thus giving them the ability to access sensitive information later on.

As soon as a team member leaves the company, it is important to change every password they had access to. For this reason, it’s essential to have proper auditing, event logs, and access reports, so that a list of passwords accessed by that team member is readily available to the IT team.

Require a random password generator to be used for all passwords

Do not allow team members to create passwords without using a random password generator. Not only does this feature guarantee that strong and unique passwords will be used, but it’ll also save time when team members aren’t tasked with creating complicated passwords. Regularly generating strong passwords is essential to reducing security risks and ensuring all accounts are protected.

This should be a mandatory policy for all team members.

Require users to employ challenging master passwords

When businesses allow team members to use their own logins for Organization vaults, they need to ensure they have a policy in place that mandates those master passwords be challenging to guess. This prioritizes the overall security profile for the company, which is essential, given that most businesses handle sensitive information. Strong master passwords help ensure secure access to vaults containing secrets and confidential information, reducing the risk of unauthorized exposure.

Businesses that need to transmit sensitive information should consider password managers that offer tools enabling secure sharing via text, email, or another communication channel. For example, Bitwarden offers Bitwarden Send, a secure and ephemeral way to transmit text up to 1000 encrypted characters or files up to 500 MB (or 100 MB on mobile). Every Send is given a randomly generated and secure link that can be shared with anyone, including those who may not have a Bitwarden vault. Users can set a link expiration to control how long the shared information remains accessible and optionally add a password to access the link for additional protection. This feature enables users to securely share secrets and credit card details, ensuring that sensitive data is protected and accessible only for a limited time.

Require two-factor authentication when handling sensitive information

Finally, all enterprise password manager logins should employ two-factor authentication. This is important if teams will be accessing the password manager outside of their company network. Team members may be working on an insecure wireless network or on a computer that non-team members can access. Although two-factor authentication isn’t a perfect defense, it is certainly an extra layer that deters many a hacker from gaining access to a password vault.

This shortlist of best practices may not apply to every situation, but it is fairly universal. If a company is already sharing passwords among teams, it should work these best practices into the mix. If businesses are about to start sharing passwords among teams and/or departments, they should use these tips as the basis for creating a set of best practices that can help keep their passwords and other sensitive information from prying eyes.

Get started with Bitwarden

Ready to implement secure password sharing with Bitwarden? Sign up for a free individual account, or get started with a 7-day free trial for your business.

Start your journey to secure password management