Shared passwords: how to manage them without the headache

That one admin login for the domain registrar, the social media accounts, the customer portal. Three people know those passwords, sharing them via a spreadsheet is asking for trouble — here's how to do it right.

Some accounts have no single "owner": the master account of your domain registrar, the Twitter/X company login, the customer support inbox. These accounts need to be accessible to 2–5 people. How do you handle that securely?

Rule 1: put them in a vault

Never in a spreadsheet, never in an email, never in a Notion page. Always in 1Password, Bitwarden, or a dedicated in-app vault such as AccessGuard Vault, which supports per-user ACLs and an audit log of every decryption.

Rule 2: an explicit access list

For each shared account, record who is allowed to access it. Less is more. A social media account can easily be managed by just 2 people; there is no reason the entire company needs access.

Rule 3: rotate on change

The moment someone is removed from the access list, change the password. See offboarding step 3. No exceptions. Otherwise you are left with an account that carries a "former colleague still knows the password" footprint.

Rule 4: MFA wherever possible

Shared accounts need MFA too. Modern authenticator apps (Authy, 1Password) support shared tokens. Hardware tokens also work, but they require a physical handover process.

Rule 5: audit log

Who accessed the password, and when? If you cannot demonstrate this, you will not be able to determine whether misuse occurred during an incident. Every serious vault logs this.

What does NOT work

• One person who knows all the passwords, with a "backup" written on paper in a safe.
• A spreadsheet on SharePoint containing "all credentials" — even if it is password-protected.
• Everyone-can-see-everything vaults. ACLs are your friend.

See also: privileged access management, choosing a password manager.