One Shared Login, Taped to a Monitor

I walked into an office and saw a Post-It note on a monitor. On it was a login and password for the accounting software.

The password was "Accountant2024!" which was reasonably secure (for a password) but absolutely not secure for something that three people, a contractor, and a former employee all knew.

When I asked why the password was on a note, the answer was immediate: "Because everyone needs to get in and we were tired of calling around asking for it."

This is how small businesses accidentally build security theater: the passwords are strong, the software requires two-factor authentication, the backups are encrypted. And the actual access key is taped to a desk.

Why businesses do this

Because the alternative seems worse. If you need everyone on your team to be able to access a tool, and you don't have a system that lets you make individual accounts, then you have a choice:

• One shared account with the password texted around (insecure, hard to track, easy to forget)
• One shared account with the password written down (insecure, but at least you don't forget)
• Individual accounts for everyone (secure, but someone has to manage them and remember who needs what)

The first business I audited with this problem was using the second option. The password was literally taped to the monitor. It had been changed exactly twice in four years.

What can go wrong

A lot.

A former employee still has access. They don't need anything — they just haven't bothered to give the password back. But if they get angry, if they have a grudge, if they just want to cause problems, they can change settings. They can see financial data. They can delete things.

A contractor finishes their project and keeps the password "just in case they need to reference something." Now you're paying a software subscription and someone outside your organization has a key.

Someone leaves their laptop in a coffee shop. A third party sits at an unattended desk. The password is right there.

You get compromised and you have no way to know who did it. The activity log shows the shared account, which could have been anyone. You can't trace it. You can't prove what happened.

The liability problem

If you get breached and you're using a shared login, your insurance might not cover it. Your compliance obligations are murky. You're explaining to a client "yes, someone outside our organization had the password" and hoping they believe it was never used.

What actually fixes it

You need:

1. Individual accounts for everyone who needs access. Not a share. Not "just one login for the team." Individual login for each person.

1. A password manager so nobody has to remember anything. 1Password, Bitwarden, Dashlane. Everyone gets their own secure password. The manager handles it.

1. A clear "who leaves, access comes off" policy. When someone leaves, their account gets deactivated. Not immediately (they might need to hand off for two weeks), but on day one of departure notice, their access goes on a timer to be reviewed and removed.

1. For contractors, a different approach. Contractors shouldn't have permanent accounts. Either they get a time-limited account that expires, or they don't get direct access — they work with someone on staff who has access and logs in for them.

This isn't technical. This is a process.

The thing that usually happens

Most small businesses don't have this set up because "password manager" and "access policies" sound like enterprise IT stuff.

They're not. This is five boring decisions:

• Use a password manager
• Everyone gets their own login
• No shared logins, period
• Contractors get time-limited access
• When someone leaves, we turn off their access

Once you've made those decisions, the only maintenance is: when someone new comes in, give them access. When someone leaves, turn it off.

That's it.

Access and security setup is part of the full tech stack work I do. Start here.