If you share an account by sharing the password, the account could be stolen by anyone entrusted with the password, or discovered by a malicious actor if any one of those individuals falls for an attack. To make matters worse, sharing an account makes it much harder to use two-factor authentication (2FA) to protect it. It also makes it difficult to detect an account compromise, since everyone who uses it will become accustomed to seeing login notifications from other users. If you ever need to change the password, you’ll need to update it with everyone who uses the account.
Many email and social media platforms allow you to create campaign or business accounts that can be managed by delegating to individual accounts. This setup allows users to log into their individual accounts, and post, tweet, or email as the campaign account, without allowing them to sign into the account directly, or requiring them to know the campaign account’s password. Direct use of the campaign account can then be limited to managing the permissions given to the individual accounts. The delegated account and each of the individual accounts that have permissions to manage it should have 2FA set up on them.
In the guides linked below, we discuss how to set this up for the most common types of accounts:
Need to share an account for a site that is not included in the guides linked above? Try doing a web search for “sharing account without sharing password” and the name of the site, or contact Campaign Helpdesk for assistance.
If the account you're managing doesn't allow for delegation, and sharing passwords is your only option, there are still steps you can take to protect it.