Organising Company Service Accounts & Managing Associated Passwords16 January 2018
When you start a company you sign up for a never-ending amount of online services and utilities. Bitbucket, GSuite, a CRM, an accounting package. These days the list goes on and on. When there is only you, the founder(s), it is easy to not give a thought about how you sign up for these services or accounts. But, you should for many reasons.
The main issue is availability. Bob Smith is a founder and signs up for some services with email@example.com. He starts to use the services and grows his business. Awesome! A little while into the future and one of Bob’s new employee’s needs to get access to one of the services, urgently. Unfortunately, Bob is on site for a customer and is unreachable. This is not ideal and it gets worse over time. What if the person whose email is used to access vital services leaves? You can see how this could be disastrous.
The solution? I have always found that creating a generic email group and using that is the answer. services@ or operations@ are good options. Ensure that your group contains your current senior team members. Then junior members know to approach their seniors for passwords when needed. Create a core HR policy stating that all services for core business operations use that email account. Then enforce it. Make it a core, cultural, pillar. Instil it in all your new hires.
The next thing to consider is how you manage the passwords associated with all the accounts. There is a host of password managers out there and I am not going to tell you which to use. Some have super useful features but a lot also have been compromised. So do your research and decide on the risk to your business should your passwords be compromised or go offline. Also, think about how you would handle a manager service going offline.
My current approach is to use KeePass to generate and store passwords on a synced drive. There are a few useful sync tools such as Dropbox and Bit Torrent Sync for sharing the KeePass file. The file itself is encrypted using AES and Twofish encryption. This is good enough for US Federal Government. When you create your password file you secure it with a password. That is then the only password you need to share amongst your team. I always make it a stupid phrase based on a shared TV show or song.