If I asked who had a set of keys to your home, I suspect you would give me a short list of trusted people without having to think too hard. If I asked who knows your banking PIN I’d imagine the list would be shorter still; maybe a partner of spouse, but probably no-one outside of your immediate household. Our login credentials are the keys to our digital lives, and certain credentials open up our business to risks at least as serious as our banking PINs do. Yet, we all have a tendency to be far more relaxed about sharing them and reluctant to “change the locks” despite how easy this is to do.

Over the years I have delivered a number of “rescue projects” to businesses who have somehow lost control of part of their digital business through some lapse in credential management. On one occasion this was a result of a deliberate bad-actor obtaining and changing those details. More commonly it has been the result of details being lost as trusted team members leave a business or the credentials being held by a third party (No one wants their domain name held to ransom by a disgruntled supplier).

Thankfully these rescues have always been successful. Some have been slow and time-consuming, but I have always managed to get the details back. It is though very easy to imagine situations where that isn’t the case. The issue is certainly common enough to have given rise to entire industries of expired domain squatting, hacked domain spamming and more.

These issues are all easily preventable. A few hours collating and organising credentials is all it takes to significantly reduce the risk of such problems for most small businesses. Below I prioritised steps to do exactly that:

Critical credentials

Certain systems are the gateway to others. At the top of that pile is your company’s domain name. Whoever controls your domain name controls your entire digital presence, having control to redirect website, email and more.

Domain name : The most critical piece. Your business should control its own domain name through a login to a trusted registry. That login should give you access to set the Name Servers for that domain. If it doesn’t do that you don’t have control. The account should use a valid email address that is monitored and should be protected by two-factor authentication. Auto renews should be enabled if possible. My top tip is to check your domain expiry date today and add a task in your calendar or task management system for two-weeks before to check all details, including payment details. Expiry dates can be checked here.

CDN – Content Delivery Network :  CDNs sit between your domain name and your hosting/email so hold a lot of power. Despite the critical role they play, they are incredibly easy to implement so are often done so by a single technical person in a company. This means that it is not uncommon for credentials to be lost over time as teams change.

Email server : Email server credentials are slightly lower down on my list than domain & CDN, but not much. Email is the de facto password reset method for most systems. That means that a bad actor getting access to an email account has a way into numerous other systems. Most digitally minded small businesses now either use a Cloud service like Outlook or Google Workspace for their email, or just have email provided through their website hosting. As such, access to ultimately manage all email is often through a single login.

Website hosting : Hosting is the other critical element that provides access to numerous systems. To “control the hosting” for most companies means knowing who the host is, having logins and keeping contact details up to date.

Google account : It’s a good idea to have a single Google account that is the “owner” for the business in Google’s eyes, rather than having staff members set services up under their own accounts. Google accounts give access to a number of key systems from Google Search Console (which can literally control whether our websites appears in search or not) to ad campaigns, Analytics and more. Having a single account as the owner that then grants access to other users as needed keeps that overall control within the business.

Other key systems

When we stop to take stock, most businesses will have dozens, or even hundreds of other systems and logins they rely on. The list changes from company to company, encompassing social media, payment gateways, email list providers, SAAS tools, internal systems and so much more. Without a proper strategy in place we are mostly relying on luck and the good nature of people we work with to keep our business secure.

Tips for better credential management

Use two-factor authentication

Two-factor authentication (or 2fa) means adding an additional element to the login beyond just an email and password. Ideally this is the code from an authenticator app, but text messages are also commonly used (not as secure, but often more convenient). Using 2fa means that just knowing your username and password is not enough to gain access. This provides additional security on a number of fronts, but one I think is particularly relevant to businesses is lowering the risk from logins having been shared with old members of staff and old suppliers.

Don’t rely just on two-factor authentication

2fa is great for protecting against unauthorised logins, but no help when it comes to other issues like lost logins. Having 2fa on your domain name account is definitely advised, but won’t help if the domain was registered through a third party who’s name no one can remember and may have since gone out of business.

Use role based emails

I am a big fan of setting up role based emails for these types of credentials. Having a domain alias of [email protected] rather than using [email protected] removes the need to update hundreds of logins when Jane suddenly leaves under a cloud and joins a competitor. You just update the email alias so that techadmin@ points to Jane’s successors email instead.

Reset passwords after sharing

Its inevitable that we have to occasionally share credentials outside the company. Pesky consultants (myself included) frequently kick off with a list of systems they need access to. Where possible they should be added as a new user with permissions restricted to only what they need to do the work. This allows that account to then be neatly removed again when the work is complete. Where logins have to be shared, the password should be changed again when work is completed. This is particularly important if 2fa isn’t being used or gets disabled. Good practice is to log a task to do this as soon as details are shared.

Have an offboarding plan

Team members and outside contractors do inevitably get logins. Having a system in place to catch and remove those when the relationship ends is good practice. I’m pretty sure that I could test logins I was given 10 years ago and they still work (The need to regularly update passwords is a topic for another blog).

Use a password manager

All of this becomes much easier if you use a password manager. A good team-focused password manager can help manage access, ensure use of secure passwords, keep them updated and help inform you if any get compromised. I use Dashlane, which I really rate, but I used LastPass for team password management for years without complaint and I know plenty of people who swear by 1password, bitwarden, keepass or others. Which you use is less important than using one.

What to do about this now

If you have made it this far down what has turned into a long post, then I have hopefully persuaded you of the need to take this seriously. The good news is that you can action this advice in less time than it has taken you to read this far. Start by reviewing the list of frequent Critical Credentials at the top of the post. Check these today. Then pick a date to review things fully. Put that in your diary but make is a recurring event, repeating at least annually. Paste a link to this blog post in that event!