How to Secure Shared Accounts ( 2 minute read)

Most campaigns have online accounts that are used by multiple people. Typically, these shared accounts could be used for many purposes, such as responding from an info@campaign account, sending an outbound email to supporters, managing one of a candidate’s multiple campaign email accounts, accessing a website for editing, or posting on social media.

You’ve probably heard the standard cybersecurity advice that passwords should never be shared. However, for campaigns, that just doesn't work in all cases. 

Here’s how to secure shared accounts:

• Wherever possible, accounts shared by multiple team members should be protected by strong authentication with security keys:  While the password for some shared accounts will have to be known by everyone who has access, using a security key or some form of multifactor authentication will greatly increase security. If a staffer leaves, the keys they have registered to the account can be disabled their access revoked without changing the password. 
• Manage Privileges:  On some accounts, you can assign specific roles to people that match the work they are doing. For example, on Facebook, people share account access through their personal Facebook account that then gets linked to the campaign page. You can specify what they can do with their access. They can be an administrator (manage all aspects of the page), or an editor, moderator, advertiser, or analyst (go to the pages page settings and click on page roles to see who is connected to the account and their privileges). Make sure to delete them if they leave the campaign or when the campaign is over.
• Is there another way to accomplish tasks without access?: Maybe you don’t need to grant access at all. For example, if someone is assigned to answer info@campaigns inbound emails, would it make sense for them to answer the emails from their email account? If so, the inbound email could be forwarded to them instead of granting access.
• Use good password practices: if passwords are the only option to securing an account, then you need to use good password practices with long, strong, and unique passwords. If a staffer leaves, you will need to change the password to restrict future access. Only share passwords with people who need them through a secure channel like encrypted communications.
• Manage your users: Keep track, even on a simple spreadsheet, of who has access to what accounts. And, of course, be sure to keep that spreadsheet stored securely inside an account that requires a security key.

Learn More: DDC's Account Protection Hierarchy , What is a Physical Security Key?