Password managers for marketing teams

Originally posted at:

If you use any digital devices, you really should be using a password manager. If you’re not, stop reading this post, go get yourself set up, and then come back.

In this post I’ll focus on lessons I’ve learned while working with a password managers in a work setting, specifically in marketing. The point of the exercise is to create a team-wide setup that secures your company’s online accounts to the highest degree possible while still enabling collaboration within the Marketing team.

I’m an avid 1Password user so you’ll likely feel that throughout this post. There may be other password managers that have an equally good mix of UX, features and security model. I just don’t happen to use those.

Understanding user models

Scenario 1: Each user has a set of login credentials and they can belong to an organization of users

Examples: LinkedIn and Facebook company pages.

Note: Remind your team that it’s actually a bad idea for them to share their individual logins in a team setting in this case.

Scenario 2: Multiple users sharing a single account’s credentials

Examples: Instagram and Twitter company pages.

Let’s talk features

True multiuser setup

Two-factor authentication

For the saved websites/apps: This is something few password managers handle well but it’s critical! You should set up 2FA everywhere possible. This lets you have your cake and eat it too. You can enjoy great security on your accounts but still share the credentials with your team. This is much better than SMS-based 2FA in two ways. Firstly, from a security standpoint SMS-based 2FA is less secure due to SIM hacking. Secondly, it’s impractical in a team because only one phone will receive the one-time password.

Some might argue that storing the 2FA one-time password in your password manager is bad form. I disagree. A good password manager will do a better job of alerting you to a new/suspicious login than most, if not all other services. The deterrent you put up by using 2FA on your accounts generally outweighs the danger of storing the 2FA inside the password manager itself, in my humble opinion. Remember, there’s no such thing as perfect security but making your accounts just a little harder to hack than the next person’s is enough to deter most hackers.

Granular access control

Different password managers will allow for different granularity of access control (usually increasing granularity comes with a higher price tag). But remember that a lot of granularity can also be a headache to manage. Strike the right balance here by trial-and-error.

Active directory

Payment details

My recommendation: Have a clear talk with your team and let them know that they should be extra careful with those accounts. Anything that mentions “upgrade”, “bid”, “subscribe” or similar keywords that imply spend should raise red flags. Even unintentional misuse can have financial consequences for the company. This is a great time to make use of that access control.

Periodic session purging

When a team member leaves the company

Sharing with users outside the password manager

Some password managers, like 1Password, support guest users with limited access rights. Alternatively, share those passwords with those folks via an end-to-end encrypted channel like WhatsApp, iMessage, Signal or Telegram. Avoid email or enterprise chat services like Slack, Microsoft Teams or Skype, because those services aren’t end-to-end encrypted. Essentially, those companies could decrypt your messages and thereby gain knowledge of your account credentials, however unlikely that is.

A word on training

It helps to choose a password manager with a great support system. 1Password and LastPass both check this box, as I’m sure many others do.

Growth Strategist, B2B Marketer, Podcaster, Technology Geek

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store